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(54) FAST PACKET ACQUIRING ENGINE/SECURITY 

(57)Abstract; 

PROBLEM TO BE SOLVED: To provide a cracker 
monitor system of a simple system configuration to 
protect an LAN 1 from attacking by a cracker by 
automatically detecting the attack by the cracker to the 
LAN 1 with no burdensome limit on communication or 
experienced engineers. 

SOLUTION: A sensor 5 is provided where a hash 
algorithm is used to sequentially acquire IP packets 
passing an entrance of a LAN 1. The sensor 5 quickly 
detects various attacks by a cracker to the LAN 1 based 
on the acquired IP packet The information related to 
the attack which is detected by the sensor 5 is provided 
to a director 6 controlling a fire wall 2. The director 6 
controls setting of the fire wall 2 according to the 
supplied information and prevents an IP packet related 
to the detected attack from entering the LAN L 
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EEJ6 L. &#»l*> * U — UTS Pi t±w«*sB8-r 

**-r«, -tts. ts*«i&i;/7isi*2J=ia«a)am 
is. 

(MUX 4] /\^>>a.**]fflm=EE|g^*«!8PL, 

y*>Vk9*>*l*>&&* TCP-Syn Fl 

o o d » Teadrop* Land. Pingof D 
oath. Distributed Denial o 
f Serviced &ffi&t;/7!>iEf*i&Bfff 
BWtLfcJzffi. W#J9i;fctf/7bMte2;&tf/J!>Mtt 

[gi*«6] •<>*— b±o>mm&mmi.x* os 

SI* 3 &tf/7i!Itt 4 Jfctf/ttMl* 5 fcfBS.t7>a<Iffi5f 
[00 1) 

■S^l/* — r-S-frLfc** hi— 9 (LAN) ^05 
*7 (.9-? (LAN) It. Is*— *V h 

•5. coae-ci*. -fiai^, misos i mm^fjuzts 

TIP (Internet Protocol) 

e>*u a«x— *i* i ptvrv h»»*-e^py t y 

J-3JU) t L-T» TCP (Transmission 
Control Protocol) &5tM*U D P 
(User Datagram Protocol) $• 



[002] w©a<D*^ h«7— JH3\ -f h_h 
C>-V—/^mo>*y t~V—Vttl£b<DfElT-. &m&&& 

56 I P7 KUX*5B5fe I P7 KW. J&Sfctf- r-S^fc 

h cms© tK— i- s-^-rcw-r -a fl-ss A" 1 e. <o t v -t ^ 

ihLf=y. K«7— ^tD^SSOT^C? I P7 KU-XJSl 
*tt<D I P7 K^XA^e > <D^ h^— {"s©7ftX$f 

±Lfcy-r-5ct*t-t?^s. (So-C. *v YO- 5~*0> 

[oo3] Hirc:<D«fc5 35:*.^ hr?— 5"^©*«£Siai 

h«7— ^©AyPI-* SAfetDi'X^A (3is-ei* 
intrusion detection syste 

m. Bt<i*gAt©ni/^- zmm**, 

i*. ^-KJunofrRT^tifcamw^^v hr7— ^wt 
xiti pwv btfimm?*&-<><r>frtevm.tiffEi<Digi 

«fc«X- , 77- (s n I f f e r ) S4l>l*BPF 
(Bakley Packet Filter) ftifl! 
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•7— WftU-x*. *v \- T 7— ^^roSA^Jtf 

h#ifa>«fc5fc1S$i£f«]ffl L. % L < l±^SPI=S 
«u *fc. h?— £rt©.!:©*?fc^S?B£»«•r 
[0 0 4] (t?t, *v h?— 3? 
£fc. ±%L<»&. : ?13.&&<D?T'< J ?'5*— JW*» 

7 f A— *>&<D8lSlc.fc & fcO-Cfc-SJ^SAMZ 
tM-«aJi:©5fi<l«)il*fiA^Sia±l=4«lffi$*t*„ CCD 

[005] 

[*UH*<«* L«fc -5 fcf 

i-e*--cj&**tfc ! fe©T?fcy, hr7— ^i-st-r-s^ 

fti/X^AI*. *\6>-5@«£iSj£-r-5fctf>lc. I P (I 
nternet Protocol) < Jlfli^fT 

t-O— 9 ©AyP»=feUTBiAyP$2iii-r4 I 

»(D I PA^rv h£&8lf-&::4:lc«fcyiS*'y r-«7-* 

15 CfcF5r£a>*&3£fx -5 filifSi £ <S8*.fc - 1 
[006] ^MfSK^Jb^^a-KJ:* 

i p/ifry h£flrSBJ£S8»#fSi=«fcoTS2fcilHtLT 



^sticky ho —vwwg ua 

[007] C©«k-5ft*^<0'>X^ixtJ:*ili, 5=7 

vii— ic«fc<5ftSE£ •jr/i'-S'-rA-e^tt-e^-sroTe, 

!SiLfcy-r-5&«1±*MS3££2h5. *7f-7- 
£s *SE<05r«ltt« : ?3aLr®llB-r*^ttA < 'S:<. 

*esiMii^«aiL, ffifi*^euir^iBLf=y. mm 

«&£0£::£rtt-c£-5„ ^-5*Sl^lcfeUTli. Sir 
|BiAffi«l*a^SI±. SJK* y h «7— ^ OTA U P &m.&-t 

UTte<„ 

[oob] ztii^tui. itrs«t«eifii#®i±. §ao> 

I P7 KUX^PMAC (Media Access C 

o n t r o i ) t Kt/^tjF. iaiSSrof-* h 
y*05#ffi**g^l*ih-fcy. aS<0j!i»i:$*t«)^i*< 

©8cs*«a-r*. cjucfcy* ^7v*-ic«fc*«at 
osscoia^ ^«»-r set &°im t & y . i&ib* -y h 
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V-?0)&±&£iSlfoZzbtfT:$Z>. tier* 
& I PTKUX&tf/XttSBSfcl P7 KU 

[oo9i «a©asoik»*«ifiif *fc«> 

(el*. I Pi\frv \~0>m&7t I P7 KUX-*>^5fc I P7 
KU* (c:*vc,tt i p/\*rv I P'vyyicft-^**. 

Krtt=«l4tLf= I MTV h£2Hf5cI P7 KUX&tf 
/XttSSSfc I P7H^IUy»StTftMt*-i 

■5. **^T?I*, J: UJUtttlcli. 1trEEft^«S»l¥a 

V >>3.a (hashing)^/^'; ±T?5*— * £g 

-5, KIT. mi$&^&A>&J!l=gll|JJLTU#, twit*. 

sokvikss. fe-&te«£* : Ey-fes&«-r*>J8^£ 

( 1 ) m^SJiJ 
S*«t^^c 5 s -* CDffAIi3Sai*£A<> 4ft*litt*& 
asj-f* ±: 5 s -* #a«>*»lwOt%-CfflSA</&S t «:-So 

zo5»¥^i*st^-e. 5=-* {ta*^t^«i=iiffi*3*i. 

UA>*0&«:^A<ai=> 5i§tKfitta*<^t>i8#l::*<£*> 
(2) V— hSfr*ffi*>] 

fc?>frCi<>BE5>lJifl>5*— *£*— c-<&«^i«±&# 
<DllllcS5>JL.Tfc<. ^5-T-5i. 5 s — *0>JfAI= 

5*as*M£*.$a>-e. SAr I o g (N) BOflUBT??- 
t?. 1O0J5#<0f-JHl og CN) i?2 0tcA>e> 

Kf*fc5*— *-et#flti::Xjfrefc«. 5 s — $o>m 

ItlzlinXK «BJIB$fffl) A<Av&>£. 5 s — *©I*?S;&<@ 
^M#i>0> (W: V i sua I Basic©*— r 3— 
K-p r i n tfcfc*) -efo*«^. 5 1 - **<££•*-£ 
7i— X£#S3**l-5:7x— XA<l*o#y»*tTt>*« 
# (DXFO>f8aA*«^E«*5&SS) Kl*. 5 i -*££.t 
fttV- hT?#*A^. *-f'J>* V— h&l£0>l&&T)l> 

^yxA^ffiffl-rttiSN* log (n) (D^ra-cfc*. 

CHli&arovy— ftiSiSfefclV, LfrU 5*— *£ 



fc40ooffiffl-rs*^li. v— hSff*.©B2$<Jlc5 f -*£ 
tfA-r-5LA>JS:<, ffiS^fSliNOJ^O^— 

(3) 

/h*ft5*— *<fcl>5f&£fca>-e* ^»a^r-Ai:LT. 

COfctb* i oo osfR©E5iJsra®Lr*> 

S^-05 f v*XtLriE?iJI=A*iTL*5i:^ 

^(D»ftla — KlifelT© <fc 5 * . 

§n*.&3t4,iitf>T?garefcy. «a 

S=fc*^*wi:-Cj&*«, -^jfcMil** 4r— ©IEfflj&<>h£ 
<>St>i:ftx3S:l.'»c:tt?fc*. tfJittf. *#l*5*— *"C 

i±s-^i*9ifieiJtf£A>€> i o«ffiyfl)Rrsitt*<fcy. a* 

(4) A7*>a$ 

1tf2&0>«fc5l:::*:£»^r— * <D«*i-tt 9 «T*£At. ai*i O 

o~iooo (SUlcttsfets^aT i 2 o o < c>oict 
■6) Ic3p;«-T?#*i.tf, w*i$/\v*> 
iiiatlHV /\?*>a.|ia£<£ofc5£5l#8£/N^S' 

i^ttN?. ssmft/Nve'iiiatLrtt. s-^^ejij 

©■y--fX-CSiiyS:Lfc^y» tt^5roA<fc*„ 
<o-y--f XS 12 0 1 t-t&t. 

h (n) =n mod 1021 (tn o d ttigl^^* 
■77*- [h ] 

S#tt8 5 0604 0 1 4-Cfey. 1 O 2 1 "CSIofcjfc 
yi*7 4 6t=*<» flfelZ^^y (y\^i/a.fi|) *<7 4 6t>< 
L^A^*L4^«:^>. (col I i s i o n : 

*a*t**<fe^o /w>a.^i*efik- ^tt-sitoraii 
^*<<fc < . ^-* aA<jg^T i,&mo>*f$it><&t> & 

HfgT?l*fe^yffim**t«:tx©tt. 

IVUK*(.*U J» : eyJt«>/N^->a.l±ia*f£A<. f-fX 

S„ ±K©/\- < /->aLiiaf«^tmi«/£An X*51J 
jtlitt*) icfci/N^^iHaicttt^i^LX**^® 
■cfe*. Sc^yijio/N-y^jLi: LreiTro«fc5«:Bia^ffl 

h= (. . . ( (s [1] *37 + s [2] ) *37 + 
s [3D ) * 3 7. . . ) s tn] ) * 3 7 

/\^>>a.gaai*. ^r— ©fig*** r-efc&^T&ffij 
dtt-riia«:«>-c. aa^fiEroT/urryxAtia^fe 
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I*, 7tmm.fr *f=its« LfciM££# y m-rt>it 

iB§ats^©iiaM£jss:Ha^— xtffc*. c©j§ 
£i«ia©fii«£+#:*:#< u sa^x^-rsctic 

J=y. S^©^-*-ei*£rmig©igy^fcl*8ia*<l 

**H-ct^. m^sti*. f-i>A<i$i (A>t>#X/) 
**iri^i>ct^-#-«^*Hc«ffl**ixfeys m 

©t?— 4^ &-<?fc & ym-r-fc^fc. -a© 

^■pfgaKtetfofcy < zHit^iEm^mm^ 

1 2 o 1 l*15§a-T?fc-5„ &©1*--f XliStatfH^L 
IV ttgll*&©*ifB2f5l=«t:o-cm>S-5. fiJffl*8SI©« 

Sgrt^OSr-S©"*?, fe5IggtoTtfe& (01 : *Jffl 

$90%) . x%*;% < itf- *£©«>irf 

dtl^S/N^ (rehash) fct> 

5„ /\v*>3. (hash) i*3lis-e rgjysitM <ti*3 

g^tj, hashed bBaf^&nt^X 

[o i ol ^tu5Slfttt^oy^5>^i=fcur#f 
^I^S^tf ife-5. UTI4*®lc^ < ©*«*< 

&y> paBfetft^ii, s:i»*mTu>fct£<©*<aiv t 

yfe^^-^lia^a^A^^OfCifcSfZJS-S* 

*a»-y— t 

8l3is£L^£So5fci::g^tt<©6<C©J5&-e, ^$61= 
olt§ 0 w©#SC©* 'J ^ MiT 1 — * ©tUftf/S^A? 

lt*il4^t^aS©RgS*<^*< 'EtoTSS-S. C 
O'y-i Zfy'JlZ IsoarchO. I f i n d () t 

/W-j-y*— f 



4x*t||«:c:©^FiC©*^^l=«:-5A^ T—ZtftiMmm 
5£8re. -ffiv-hfcfct>T. fctii&jSi^lSy&L 
fxfc?©*, <bt^ofc*^lcfiLV LfrU ESsgiT 1 — 
*©3ESE-iiJn^^i:t.«SlfeJi^lzli, 

T4. V- h©l$F B W*^oTtg&Mlcr*£< 31 < 

tL>5sm=fee-yii<s. w©^izii-f-»ii@-r« 
j&s*<fcs. v- n*-ss«n=^«t y imrawfrfr 

sicafcy^oitr (S^afcy) ifc&u *t§ufcy* 
^it*tii^-4x«fcy#fir©S4'^fcy-ea:s-r-s. ti^ 

cf-5fv-t-t5. c©Rrcttfflrsit»iiai:« 
mTMSSJfc&iiatei^c&^tebfct^^atfctv v 

- h Ufcir— 9 left LT . aoj&\Kli*©T K 

|zK5)J©l> < oto3^£*5R -»Mlctt«Jgtt© 
E$afc££irf©l::tt*>*u *SSJt»:©y>/^--eS^L 
T\ »Sl£^Sig^l=tiffifiJ-Cfc*. C©«s!s*5Sl*± 

f-zzjLTtzmsktfimbti&o-c. 5t©ia}B^f=tt 
^•css^fes. v— h^sgs&©tfri><. v— 
i^t^fcT^=ry y *-r*<. -oswciac ^ 

— ht^filfcl&teJRK. fc£©T— *©fc&im^«*< 

tc. ^ -f > ^ v- h ttttSiw^-* ©»ai=»#ii-ric 

■e*-*siysr, -e©=ir-t?^-r ncm^-s«Bf 
1=^-^ ^*&f»u-cte< „ «sfg©sgii^«©sc-e+-* 

51J^»» Ltz L>«^tl4^©3t^J©=j- h*$±r S L 

izi*^*^©^, ±T£bfc*©£T— ^u©at?sa 
■^fc^y^siisw^-ic-rs., *-*<a«-r-5?»rflitt*> 

fc y -r -s^^m &tit^4. -x-^n^t&ifi Lfc^s: 
*5ij«5iat?au, «ffl5t©^— ^ig*. t©4-^» 

^ffiffl-r-St. S:*5)J^afiStLTgSA<aiJS-SJ:9lw 
fty, S*«flK©Ml^S:^5>J*^o^7A*-eSai:U 
■c»*. -5 .fed left*. i6*Jc*5>JI=»Lr^nt-©^ 

-*<si]yar&4x*©-c> ^©+-©ffi-ejt«*if : fef7 

JSiLS. X^5iJ©^=J-K*±TSL. ffifiJ©*** 
•CSJlofc^yi:. -f-©«Rlfe©fiE5iJ©W»BA^«f1*T 
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4r— l=LTt*«. Olt^-m&zmv&^+t 

#M lc<g & £ I** ^ y 1***113 < fc 5 C A: I* 

■Cftl^^l^liSS^fc-So C©7-f^7'JCthse 
arch 0 fct^§l»#ffl5£**t-C 1oL*> 

T>Hf'/X\kA<fc-5. ?5lilfc&l*>S:LMD-e. Jgjt<C«6^ 
gjS)S:«l§t?£ffll>-5i&^*<&«>. l*%l*%*:8Wei=>*l6 

-r^fe»==&mco^irjiTr-^u*fflSLfcy Lfc-^ 
#-»*-cMSr^-*^pa^ x— •?>i>£i*a>.*^v— tefflfi 

^ttl+^*ttife*yiailA<S8l>*g^A<^ 
[Oil] *#i::*#Mfc3tSI=-3^T#3.«fc3. * 
*-h^V> (Port S c a n) <tS*>*l?>SSI 

#^£3&££MLfc*<e> i p/<^v r-£*gy>iL2nrr 
ifricnepi:a>a<n=fijffl**tTi>* i pt kux^p* 

I*, TCPfc*lM*UDPJ:T?S6«5-r*7:7y$-— *>3 
>V7r-^x7©+>— tfXMS (fflxlit e I no t, 
ftp. sm t p. t f t p^) £S^t.©-C» I P/* 
^rv hrt©TCP^v?fc£lM*UDP'sv$n::tt-5-* 

P/*7"y J1«S. SfcfflMfc'y— *V7^i 

T£ffl^-cfi+>*u imn&.<»*v s&a 

I PT KUX^K-r-«WEtM=JI>S:y. mo2&«5c 
I P7 KUXA^-i?fc-5«fc5'S: I P/<>r<y r*A<ifcS£« 



f5&»;fc*0^ja:l*. Btf#LT«l#Lfctirie«Sa© I P/< 

ii< t^a>mm7t i pt kuxa^slmch— -<*ao& 

Sfc I PT KUXXI*5B5fc*K— r-S^A<SLMc«35:-5t,(0 

*v5S5 1 ooaS«)JA»*5S3ll=««J-r* - 

-&m 2 <*>aS©&£fc Ut. -*5 

ICSyn-f lood iffcsjv-smgoacsatfc*. 

£<D*X h -S^OT-efc-S. TC 

ptfi±-o<o/Hx hra-cjnt*«?5«^. W*X 
<o=i a >gaigiaSTfi±. -»a>/hx ha* 

*X H:»LTS y nffl I P/^7 h^2it4. 

y nffl I PJ^V Mi, -t*t£§¥ L < WZ-l£, 
±IB-^0!)7hX h© I P7KUXtM©*X KO I P 
TPU-Xt*-tti**l»6«5EI PJPUXs Sfc&I PT 
Kl^Xt Lfc I P/t^"V r»"C. f©;^9hrt©TCP 
'VK?«)S y n If ^ KXl/A cktfy h©3*»S y n 
fcTvKD**£ T1J -tUT. 
->3 ^B§S«i31-e[*. C<DS y nffl I P/<^^ h£SI+ 
fcfife*<0*X H*. iSiB-^O^X HCSUTS y n/ 

Ackffli p/<'^^v^^^g■r*. ecu. is yn / 

Ac kffl I P/<>r-J» htt. iL< ii. ±IBffe^©*X K 
© I PT KUXi— ^O^X b0> I PT KUXt^-t*t 
-f*l.SI^5cI PT KUX. 5&5tl PT KUXt Lfc I P 
/^ht. *<D/<-tT^ hfi«)TCP^?OS y n t 
y h&t/A cke«;h Sftl- ru i Lf==fe©-T?fe5. 
S&IC. 3*-9*>3>Pa«l3a-CI*. C«)Syn/Ac 
kllP/^? h£2l1-fcS&I2-^<D*X H*. «fHSffi 
*fl)7t:X HcJtLT A c kffl I Pt\>ry h^SKIU. C 
OA o kffl 1 Pti.*rv h*tiria^©*X r-A<glt<5Z 
•t-e. M*X r-P^©l|iSfi<l'S:3*^>'3 >©^I6*<** 
*i4o ^ife. -fcfBAckffll P/<fr9Hfc IfKli. 
MSBSy nffl I PA-*-? h i H-(©3I©7C I PTKUX 
»^5fel PTKUX^t'S) P/<^ry h-e, *<©/< 
-try hrtfl)TCPA7y©S y n tfy KXtf A c k tfy 
hfl)7*©Aek e*y KO^* ri j t Lfc4>©Tfe 

[0 12] i5KS y n - f I o o dli, C©J:?)S:TC 
POlttt^fiJffl-^*ScSTfe-5o C(0ljt»T?l*. 

Jt^MSt^rai^ir^SltWS y nffl I P/t^y r-£ 
fit, *tl&<0*S y nffl I P/*7-y H= 
*JUt±ffi»£*X K^&S y n/A c kffl I P/I'TV 
r-A^^^ttTifTt. AckIIP/^»hH©« 
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I P/^v H:^tSSy n/Ackl I PA^r-y r-£ 

m.®Ltzm. me*m i-mzz^) i4. *©b*!hi*i= 

A c kJB/^-y h36^«**lTwJS:tN|Sy. ■?•© A c k 
r-©g*t#^ttSB±:fc£. *LT. CCDtfeSg-e 

5&*XH4. trfc&S y nffly<^-i; HzJEUfca**^ 
3 >|gl6«IS^IIIS#t^-r'<< *©Srfc*S y n JB/< 
>ry K©tt«£ffi<lffi3ja©vW:?:rfIiiSlcg«LTI^ 

c p ©annas* tcp ±©i*~- exjas^f? 5 - 1 a< 

tt&Z. C©S©#« (Sy n- f I o o d) T?I4. 
nJB ! P/^S» r-j(><;&»*tfl©*t/ h?— £W©1*£© 

sHI£ivc<.5. *fc. elicit cr. £&4*£©*x 

flic. f<©S y n/Ac kffl I P/<*T-y l»*<2Hi**V 
*o ^*L&©S y nffll P/<^TO hfc5lM4S 

y n/A o kffl I P**TV hl=JilSL.-Cg^6*UwMlS^ 

^fcx nc^<t*4xr< s^tAc kja/^r-y r-a<*© 

/^y \-0>5*>. B5S!*^ ^lz-£©*l-gMi*e>i5r3t 
^Srtl-2l^**fC$fcTCP (Transmissi 
on Control Protocol) < H 

»©S y nffi I PtVrv htfeot. fc**©^ 

y» *©=&S ynll P/^V r-iP— ©2HI?c 

i p? Kuxaiw&fc i p r kux£*tt m~$i& 

TCP <AckfflIP/«T9 htfltrEBSfSBSfSJrt 
Jr®l#*ti.TLN<Et>t#. ®2©=®&©flri2#g*<fc* 

CP (Transmission Control P 
r o t o c o I ) lcS-5<«a«)S y n/Ac kffl I P 

*<-t*i-? r ih.stMzp--efe* i b<DA<^afciii±3&y. s. 

"C. fiI[ffi ! &S y n/A ckffll P/^^y r-©2Hl7Cl. P 
7 KUX&l/%Sfc 1 P7 KUXi^JrVfttP— <OfS.9t I 

P7 Kux&tfSHiTc i P7 k ux£*rr *t>©*<«riE 

Elr^B#figWi-Hm$*iTl,^U*£:£. SI2©fUI©iirK 
3c»*<JS:**tfcCt«e«|-r*. C*ll=,fcy. Syn- 

8tU« — telCT e a r d r o p i:«i$*V*ffiS<OBl 



^. iP^Hi^^-^Hf^^L 
-C&2l**v<5ilgT?» £©tt— £*5yffi#&©§a& 

P/<>rv HtflEig* ft -Stele x^-j&<±t§;iifc& 
y. ::©«fc-5fcig£i-l4.. /U— £14. I P'Vrv HDW 
3Hf£fr5. C©fc«K I P/<>rsr r-©?S5fcI PTKU 
X©*Xr--<?l4. #8£*lf=— SP©Hi: I P/^T-y r- 

I Plz£-3<3Hn?li. g«IWI= I P^-tr^ K£ 
glfl&'&JfcX K (!S5fc I P7 KUX©*X h) 14. Sit 
SKofc I P/^-y hA^tt*4xfc=oa>-Cfci.t#. Sly 

SdSP^oi p/^7F$f»«J$n. tit. ±ro> 

|^®T eardrop! C0>J:5£:I Prt*rv r-W» 

14. 14. Jtfi5WSt^raf3t=» ^ssw&Pica' 

«g?»<0 I P/t^r^/ r-*3a«3EiSl«)*-y h«7— 

*ifct#, Jiia^s*xr-i4, s«wtsyo»^a5» 

3fefcSKt**tT^fc^fi<0»S!iep»O I P/Vrvh 
k.frz>5t0> I P/^r-y KOt?— £ £&5£L«fc 5 

^tt^-S. C:©S(03gcSI (Teardrop) Trtt. 

14. ®&UTfitfSLfc!&ffi«S&©l P^-yh©^. 
1512*. v ^l=*©J1.ai*v&Br^^F B , IWl=sHtS^ 

6<***fCUi.C:i$fiSfil-#-S. Ctll=*y. Tear 
d r o ptt>t>*l*«3©M3S©a«S?tlllC«*0-r* 

4. C©iA«l*. 2l®7cl PTKUXSLtf^Sfc! P7 K 
UX/>^—efc4J:5*. JEmi-ttfcy^'SlM Pi<*r 

$5£Jt5X H4. •?■© I P/<^r*y ha>mm^fSM^z. t 

[0 13] C©S©Sc»tfl4. Jtffi©J0< . 2H15E I P 
7 KUXai/^ifel P7 KUX^-tfeS I Pt\*TV 
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utiartfc. ««. -tiB4#5£*xMc>£<i**t£. 
fcfiii!B1®8fca> i pjVtv r-©5%. «re*v h«7— 

htftot. *C52HI5cI P7KUX*<3S5fcI P7 
KUXtS-0)7 KUXfc£oTl>£4,©A<mSSSJELfc 

5fcS££«ig||::8Jiirr*c:i fcfc. ffJ&Lfcs 

yn-f I ood. Teardrop* Laridi lAt> 
*l4:0U8l*. DoS (Denial of S 

e r v I c a) tl*t>1IX&m&0>&mzm? -5 i.<DXh 
■S. f UTs -fflDo S Syn-f I ood. T 
eardrop. Landfl)S4»l:. MlfSmu r f 
kl\t>tt&m.mo>&M J P~ Flood! e£lVb*t£« 

©J&gEfcLT. ft^KlI-S yn - flood. Tear 
drop. La n d SrfMf fc#. Smu r f I o o 

d i e^oac^^fli-r-s^a^-r^-^^prfiitJfc 

UX&tf/XliSSfc I P7HUX$St§ I > h 

[0 14] JS^«fe^T^=rUXAfcU-CI*. ?-fA*i 

l*lUT<D§ltfcfcJI=Ltf>Ufc. -75. a-T-f^^t 
LTIi. LINU X© kernel— coding 

ffiLfc, <£o-c, osojsifii^ipjfflii-r, as-. >*- 

7i- xfc©A?>yi:yttOS©*S4tt*1?&y. OS 

unix (etstis&> j.-^-i=i*^sa**vx^*t>. 

Willi.* ^'J — gS^I=*7-^-«rX-r«.j&SA<*< # 



fry. SfilMI=l*«^l=«EoTtNfc. <*H, #ST?5S«> 

■eo)S5i$tti*^'e&-5. fct*5©tt. ttS*SA>&Ji-Sfc 
AB3i:toT3E»fOSg«)^ («Jx.lii 

-5. ^-B. *>rv h&mMT&ti-COBifgl (1 

/1 0 0 03MI&) lc. *iJBfLrJiWrS^S)!)<fc-3f= 

fT7J5*£/fieii-#&£&fcA*ofc©-T?fcSo fLt, 

tele*,. /N^i/afig^SAWBltttlc^b-r-S^ 

-r -so-efc-s. -f>*-*7K5S8. -e-jitftizDo 

^tvooftya^-ic. ^n-A+i-rosfc-raioiis 
sr33fcort>«. *f=. koki^ &*yiwg 

jBSOiSS&A^SifcS. 
[Ol 5] 

RgLTStBJJ-f -5. B 1 l**SgJ6JB®«)i'XirA«mB-e 
3&-S. B1I~33L*"C. 1 h«7— -7fcLT0>LAN 

T?fc*„ ^(DLANIIt tt — r- (SfSiS 

80 (Ethernet (SStiSS) ) *fflU^T«t^* 

Hfc^w-efty. B^^Bs-r*s«©/i>xh o>e 

fil^^VCt^*. hl^l*. h • *T 

— ■?A>lZtStmi-&<<— r- • K*. TCP/ I 
P<D8!S£fl-5fc*!>a>V:7 r-'tJxT. tcp/ip±-c 
lSlt5*l7? , J^r-?'3 >V7 h->i7 (0JX.I*. 
telnet, ftp. sititp?) A<H^$4x. I P 

iz&-3<mm&'%itstLT\.*z>. <c*j. lan ii*. -r 
— hi-e^^+tfc^oicis&r. h-^>y> 

tfe^agOi'X^AT'l*. L A N 1 <DAy Pl=. /t-irv h 

$2 (KIT. ^©3>tfi-*2$*l:77-f 
V?*— ;U2tl9:-r*) A<iSlte.*VT^-5. *LT. L 
AN 1 Ii7r-f^t- *2$iHt-f>Ji- *V r-3 
l=ft«l**VT^-6. 77"i J «"7*-;U2I4. E<f>&*>1S. 
mm<Ol P/i^T? f-OTL AN 1 ^a>jiA£^Jt-rSA^ 
^S-r-Sir— £ A<S#a*4x-67T-f^ (JJIT. 

A">^-— ;U2I4. C07^^S^77-<^. LAN 

r-^KSILTLAN 1 ^©itA^BltlT-S. 7< 
^SlSPr-fJI'-C. LAN Tv.<DJiAA<SJJ:*^-Ct^ 
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AN HCtejai-r-S. 7r-f^*~*2t-f>ii-*«; 

5l*8Jjll£UN I X V y«lriiS*u -f— »*v 
!«•*— F7£ttLTffigB/\:?4lcg|&**i.Tl>*. CO 

-fe>-y-5l3li, tcpdumptl*h5V7h 
>t'x7J!> < 3t$c£;h.Tt'*-5o -rot cpdumpCio 
T» /\74$I«±T<D I Pt\>TV 
— K7^UTSt#-T* (t7'J>W) ZLkWX'Z 
■S. dW.fcSJSSMtM*. - **X • ^E— K (p 

romise cast mode) £lVfa;h.-5Ci;&* 

*LT, *>"9-5[±. BZ#Lfc#I P/<*-s»r-£ 

X^I=I2li€l»-r-5J:-5f=Lru>-5. fcfc. A-Kf-f 
X?l=Stt«i#Lfc I K»«2A*Br^©^fi 

£58£L. «fcl=:l!ii#**tfc I P/<7f K^*-* 
X*l=fB11S}#-f£. *fc. -tr>-*5fi. IP7KUX 

$^f="^» ARP (Adress R e s o I u t i o 
n Protocol) RARP (Reverse 
Adress Resolution Protoc 

o i ) o^¥v r-ts. &&&&tiWv wmmztix 

MlwtgS$*t-C^*,, o*y, -b>*5l±I P/t>rv r- 

s&u:, -feiz-y-si^i*. iiraLfeSi~$6ffli 

»7^fyx*A) A^S*^T^-5. fcfc* Z.<D&m& 
«!7';U=rUXAI*, irV 6fr2gS6t>T*5£\ St 4 ? 

-r 6 to^r— $SS^fiL^o-3^s«yai7;u J 

y X JxO>9BM &± >tr 5 l=ff *J:5fCLTt.«tl^. 
f&tST-f U** 6l=UJ\ mUVr**^*— fr2$MW 
t5V7l«?i7 (BIT. 7< )V#$m7n,3>)XIxb 

rryXAtt, -b^-y-sicfcy^ai^Jtv^a^iCtr. 

tai2Pr-fA"7*-;u2*©HBJ-r5 : b©-cfc4. 
to i 6] *rc, A^s*^jfi^sso>^sii^K-r*o 
striB-tr 5 r±. i p/<-7--> h*nr^«)Sn< 

3H15E1 P7 KUXXI/5B5feI P7KUX©(® 

»ji=»® ufc-t-c* 0jk u&tv* ^ y kjk y 



©jutfitttLT. y^yi^Btyat? <mT©i&ipj 
tip/<*»mti»5) . *Lt. zot^^e ui^axy 

«>JI=KViM?l P/«rvH±* SnakD-*^ A 

■c/^yirjfcy&A/tf i p/<<5rv r-os^ro&t.mM 
z<ommx\*. •&>-»*- 5 r*. jt^yicflrauD.fc^icBiy 

$XA/f=I PA*? SHItcI P7KUXi<|^— 

■C, jao^SI«7cI P7KUXRAN1fl)rta!Ot(D 
-efc-S&I P/<7-V h^lC^L. P/<-trvh8 
I P^^V h*<*-r-5±T©^ I P7KU 

xwflt (c*iiiLAN 1 irm-r* i pr Kuxa>{ST?fc 
■5) ^ttas-rs. *ir, ±s<ds-i p/<-7-^ 

aiLfc&Sfcl P7KUX(D&ICML, f©l P/<^v 
h» (H-ro2lffi7c I P7- Kl/X© I P^Tv Y-m A" 1 
K5BifeI P7KI/X©ttil-H)?6ftl PTKUX 
S^-L. flOTCPA« J .yfc«lMiUDP'N»^rtffl^ 

5fe7K— r-s^siMcjuay. jao. asiLfcRif^^ra 

2 O®) IzSIUfclg^lcli. -fe>^5l*. tK— 
hXdFV>fl>3SSA^5:**VT^*wfc^«|ft]-r*e *L 

P/<^f r-S*0>2HI5E I PT KUXfl)If-$i^ (fil 
T» C^i&O^-ii *»1«a*ttttT-4«tl»5) «fl 
IBt?^ U^^6I=^^-S. CW«fc-5'ft«iS*<2Ht7cI P 
7KU^-T?, Ji.-3KHH15cI P71'UX*<LAN 

fti3. *Slfte»ffill=felt-S>K-hX^r-vi/08fe*D-C 

X^Y>^a-r-5*5lwtTtJ:U. f *t>^. 
7C I PTKUX^i-t, to, ^SlffiTcI P7-KUX 
tfLAN 1^6?<0*©-efc*#I py^v h»lcjtlL, 
■tO&I P/^-y h8l^**vS I P/^-y hd^-r* 
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fci Koia**^>ht*o fit, fo* 

KUX±rf^—0>3l«7c I P7 KUX£*Tf £ I P/<^rv 
h#LAN 1 fzitA-r*(0^3Sffi*^Bf^ra 
5flf«a) iHjh-rSck^irfrlB^r-r-V^^— ;u2<z>^-r 

*— ;U2f*, ±!Bi£fI5cI P7 Kux£*rr* I P/^ 
hrt<-f — K3frb2HIS*tt< f©I 
P/t*-? h£KXU LAN 1^<Z>JiA^Eili-r*o - 
tllC^U, ^ h X^V LAN 1 

>o>a**«a^TL^i»y. f0>2l«7n I P7KUX^ 
fc<D I P/<*-? Hi, LAN 1 friiAf £C£lit#fc 

t>, fit, 7 s W U**6l*, ±CBfXMn (5»Fb1) 
5c I P7 KUX*6fl) I P/^r^ HCOLAN 1 -^0>2tA 

$(syn-f lood) a)«lftisaai^ff 5o 

[0 17] Z4>MrCI*. 51*, JKftlPTFU 

^H-tfeSlP/^hSfl)?^ LANUCjgir 
356*1 P7 KUX©#I P/<*"* hMMcttl* SI P 
h8H=^£ft.«S y nffi I P/^7hHOM 

&fMm\~m&mth-f&o fit, aaifessy nsi 

P/^^hfi>nmM»&Hf3KMrH («xtf2»ra> W 
fCiR«**lfcSy nffll P/^htf. RMftl P7 
KUXGM P/t$r* hWrtr^fc^^&MS^&o f 
It, * 4*3*8 y n^I P/<** h*<#i9E-r*«^ 
iCf*, jfefCjftdiLfcS y nffl I PiWv hJStotf *1 
e>0)S y nffl I P/^v K(Dfi»$*^>K4o *fc 
IZ. f<D*0>hlfcf;fcfjK<DSy nffl I P/^h 
lC**lt, f*tf*Llw$4JS-T«,Ac kffl I P/^h 

(PL< liKs y r*m I P/<$r* h^l^-OSMiTcI P 
T KUX&PTL* MO, SSynffll P/V5r<y KflJTC 

"T^Ac kffl I P'Vrv h) tfcot, logs y n JB 

K&^tufctpG)**, I^IL:SB5fe I PTKUXOI P/t^r 

?&a c kra i p^v btm^nm^tt. f 



jg, JblBO A rij rS-om&ZHrZ* f I 

t, S^Mlc. JJlStSAckB I P/^y hOSRt^ 

1 6®) m±-efcS*^rcl±, Syn f I oo d<D# 
«*<fc$;h/tl*£-££«aail* ^OZlk&Tx-f?— 9 
ZL0>&m<&aiS*ltzS y nffl I P/*<r^ h©i£<t 
7C I P7 KUX^ISt 1 — ^XtfSljfe I P7 KUXl^tf 

££rl*5) IfJlB^-f 6lC^X.So CCD^pfcSO^i 

*<3®5fcl P7KU^H-t\ fio&^fcl P7KUX 
A<L AN 1 ir®-T*±x<0 I P't'rv h^lc^LTlH* 

flt>*t*o &*3, *HMittt, SynSl PA>T7 
hO>®afcS^l>TS y n- f I o o d £««31l tc#, 

^OJi^ft^fC^U S y n — f J o odifftat^ 
5lclt**U>o &*i*c I P7KUXA^- 

tjao, issiiiTc i PTFux3b<LANirr®^s&i 

P/^^h^lcStL. aiP/^h8lct$*i^Sy 

r/a c kffl i p^v h^-t<oa?^sijmi=:m*aaj 

f4 e fit, fflffiLfr^S y n/Ac k^l I Ptt'TV 

JlfcSy n/Ac k§ I P/<<r^ HCa«5cI P 

CCOt fOck^ftS y n/A ckffil Ps\*ry hA< 
#S^^ig^lCf*. 5fel^ffilfcSyn/AckfflI P 
h$#i6Tf*tt>roS y n/A c kffl I P/^v 

4xf*L(DS y n/AckS! P/<4rv MC^LT, @ES 
yn/AckBl P/<^9 KOSIISc I PTKUXtH 
-a)$S5fe I P7 KUXfl) I Ptt+v hSSiB-<5o CO 
gSyn/A c kffl I P/^7 M^lErr £ A c 
kffll P/^>r^ h (PKliiSyn/Ackil P/< 
<r^h(02im7cl P7 FUXi:H~a>Sl5fe I P7KI/X 
&^TL, MO, teS y n/A c kffl I P/«ry h<OT C 
PAyMa)^>X#t«)*fl)Ac kf^^^t* 
Ackffil P/Vrv "efcoT, fiOlS y n/A c 
k^l P/^v ha>««B»Ma^&±EBr3e«M (28? 

S-TS^S^^SR^d. fit, fW?&Ackffl/< 

** ru -3o3S'>$-fr5,, fit, ®»»fc, ais-r 
iAckli p*\>ry b<o&&&m'<i&lb-otzk$tz± 

^icl*. Syn-f I oodfl)&S^**itL^^i: 

[018] ftfe, COft^lC-feV^S^&r-f U<7*6 
ic^x.^'r— * II Syn-f I ood I 
fzC^^tf^ ±IBSyn/Ac kffl [ P/^<T 
^ KO^Stc I P7 KUX0>f£^f &l/^5fe I P7 K 
UXfl)lf-*tfcSo -<D«^, Syn/Ackffll 

prt*rvho>w&7t \ P7Ki/xa)lf^xy56ft i 
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P7Kux<Dtf-*i*. *iv«w 5fcfci5ifPiL./=ir&fa 

l28*Sft»f-*l=fclt5S y nffl I Pi\*T y r-& 
Sfc I P7 Kl^X©®-?— &<1te I P7 KUXaJfiTr 

— 5«(cffia-r*to-efe*. -tr>-tr5fr8|ir&© 
* -5 ft® 2 a&sMfcaiT 1 -* £-5- tl ibtitzm&T* 

*6li, Kfg2«J£SfcfcT-*K#**t.5aMf5cI P 
T KUXiH-©ittfl7C I P7 h*UX$ft4 1 PA<b" 
V h*<L AN 1 l=3tA*-&<&£S£j^'bj3r5£B$flSi (0J*. 
«2»ffil) EJh-r*<}:5Cfi5l27r-<-V'>*-^2<D7 

6 li» S52a#S&» J r-*«^3:*x£?fcjfel P7KI/ 
x£l^-©S&5teI P7 KUX£*T*--5 I P**rv 1-A<L 
AN 1 l=31A-r-5a)*S«A^3f^ra («;Ui2«> 
fifl) ®±-r-5J;5l-7r-<-\"t?*— ^2©7<^4fSS 
77-f^^Sfftx.4. £©£#, 77"r-V">^~ ;i*2 
[±, ±I33I«7£ I PT KU*£*rr« IP/^7K fe 
■SlMiiSESSfc I PT KbX^tt* I P/^f l-AV 
>*— *'y l>3A^3Hi**lT<«i:. fffll P/^7 
h£g§^L, L AN 1 'vOitA.i&EJt-rSo -*tlC<fc 
U , Syn-f I o o d ©gcSj^fc L A N 1 *<&B$4l 
C©:*K©*t&4:;**LTLVfcI P7h'W© 

U**6l*, «2«5k^ftl7 : -*l=fe«tS3HI5E! P 
T KUX£*f -5 I P/^-trv KD*KJI=«5±K0fS^ 

n (2»ra) *<tt&r«*-camic. ifeic-^5Le,*vfcs 
2 sgdesifij^— * t n-©& 2 s&sesaix — * *Mz 

jmj (2&m> » m&zm&&m&7 : -*<i>mm7ii pt 

KUX*^&©I P/<^" i>h(DLAN1 -MDiiA^RSit^" 
S^^I^^T-f-V^*— foZ&ltm-tSo Z.<DZk\±* 
mWk&&*BT-* l=te«+-55S5fe I P7KUXStt 

syn-f loo d©8c&A<ttivrii&iBy. froas 

l=ffi<SJaifi5c I P7 KUX*^© I Pt^y K feSl* 

i** 0&m=.mz>f&& i pt kux~© i p/^y i- 

I*. LAN 1ClXt* = tltt**^ *LT, ^-f 

u^^ett. m 2 a&ss-aiT 1 -? i-fcit&£f§7c i p 

T KUxStti I P/<^9 h©»Ksi. SJ2*ia3SSl 
SUcfcrr-S^Sfcl P7KUX$tt*i P/^rv 

©® 2Hj&sm£«7 : —* ©shits ip7Kw 

i p/<^y k fc*uM*. m2SScs^ai7 f -^a)565fe 

I PT KUX£*rr * I P/<*V h©L AN 1 ^©MA 

©isjt£S¥(rr*. str^ro«j:5i=s y n- 1 i ood© 

©8tSI (Teardrop) ©£t»iBlJffi£fr5 . 



P/(yyhS(05%. LAN 1 r=K-*-*?Sifc I PTKU 
^Otl P/^y r-SMcftL, Kl P/^V hSf(C#* 
*tS»«**ifc I PJ*try h (BIT, HUc. 
hit*?) ^ilJRaUJ-rS. C©Jg£, I PT?li. 
/^?ni. f©i p^»?*©#So)77W rij 
iftotl^K *.L<I*. ^^i/htf-^-fe-y hi: 
t^iK*^— roj «fcy*£fc<££fco-CX'>.&. d 

$&j<>rv I p-nv^O I PMISIS^ai/^v^ 
>h-i-^4z'y h©it*<*;h. j e*ira--cfcS : b© (tttUL 
fc»«/^? hfci-ro»»/(ty 1-) tf, 

V r-t^i: I P/<^y r-PrtlCfci^^iS^-So -Wt 

^*«^>h-r.5. fLT. c:©*^>hSaiA<RlrSSfc (05 
jiff 8 Ofi) Ul±-efc«^l-l*» Teardrop© 

CWSc^A^fiJ^tufc^/^y K©^«5c I P 
T Kl/X©If- ^RlXSSSfe I P7Kl/Xffltf-$ t 
& (JJTf\ Z.ttt,©^— ^m3^5fc!g^filT— t 
■5) ttrffi-xH-U^^eic-^x-S. C©«t5ftS!i3SA<Sgife 
I P7K1/Xi<i-T. moSJSftl P7KWJl<LA 
N 1 lzm-t&±T0> XPf^V r-SI=»LTJl*fT*3*l 

— * CtlfefitflS-^-r 9 6 1*, UtTfES y n - f 

i o o d*<«i*D$*tfcJt^t^<^i:-¥>y^T?. 77-f 

iHMW*. fft*7%. M 3 W&M&'iSL'T- 
5HC#**i*S<I5c I PTKbXtH-©2H15cI PT 
KUX I P/«^y h*<LAN UratA-r*©^ 

3saA^&0f^^p a ^ (2»ra) E±-r-5*5i=i5ia7r-f 
mz* m3m&m&mT-9izs3;tizftfti ptku 

Xt^-©^5tl P7KW|ttSl P/^7F*<L 
AN 1 l=ilA-f £©£Si£*^i5f£B*FH (28>fa) ©Jfc 
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Problem to be solved: To provide a cracker monitor 
system of a simple system configuration to protect an 
LAN 1 from attacking by a cracker by automatically 
detecting the attack by the cracker to the LAN 1 with 
no burdensome limit on communication or 
experienced engineers. 

Solution: A sensor 5 is provided where a hash 
algorithm is used to sequentially acquire IP packets 
passing an entrance of a LAN 1 . The sensor 5 quickly 
detects various attacks by a cracker to the LAN 1 
based on the acquired IP packet. The information 
related to the attack which is detected by the sensor 5 
is provided to a director 6 controlling a fire wall 2. 
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The director 6 controls setting of the fire wall 2 
according to the supplied information and prevents an 
IP packet related to the detected attack from entering 
the LAN 1. 

[Claims] 

[Claim 1] A device for communication that carries out 
the detecting elements of it to within a time that 
passes the packet without delay and includes the 
feature in apparatus that passes a packet that flows 
through a network at high speed for suitable 
processing to be performed. 

[Claim 2] The device for communication according to 
claim 1 that compress transmission and receipt 
information by a hash method, and have the feature to 
have made it possible to develop all information in 
sufficiently narrow memory space. 

[Claim 3] The device for communication according to 
claim 1 or 2 that includes the feature to achieve a well 
head by using double hash and a list mode at the time 
of hash table production. 

[Claim 4] The device for communication according to 
claim 1 or 2 or 3 that controls a compression ratio to 
hash table utilization time and includes the feature by 
maintaining a memory capacity factor to about 80% to 
achieve a well head avoiding a collision. 

[Claim 5] The device for communication according to 
claim 1 or 2 or 3 or 4 aiming at intercepting and 
detecting of an attack called hacking or cracking on 
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the Internet, especially TCP-Syn Flood, Teadrop, 
Land, Pingof Death, and Distributed Denial of 
Service. 

[Claim 6] The device for communication according to 
claim 1 or 2 or 3 or 4 or 5 that has the feature to 
supplement with communication data about it at high 
speed when an attack of wresting a password of a 
route takes place, buffer overflow of a bug of OS, and 
the like is made to cause using communication on the 
Internet. 

[Detailed description of the invention] 

[001] 

[Field of the invention] This invention supervises the 
attack to the network (LAN) through the Internet by a 
cracker, and relates to the system for protecting a 
network from the attack further. 

[Description of the prior art] In recent years, the 
majority is connected to the Internet and, as for the 
network (LAN) built by in-houses, such as a 
company, the exchange (communication) of the 
variety of information between other networks is 
performed v ia the Internet. In this communication, 
generally, IP (Internet Protocol) is used as a protocol 
mainly corresponding to the network layer what is 
called in an OSI layer model, and communication data 
is exchanged with the embodiment of an IP packet. 



3 



And as a protocol (protocol of the higher rank of IP) 
mainly corresponding to the transport layer of the 
higher rank of the mentioned above network layer, 
usually uses TCP (Transmission Control Protocol) or 
UDP (User Datagram Protocol). 

[002] 

This kind of network has the advantage that various 
information can be exchanged by low cost between 
the server on the Internet, other networks and the like. 
Since the Internet has very advanced glasnost on the 
other hand, it will be exposed to the danger of 
receiving the attack from what is called a cracker. For 
this reason, it is required that a network should be 
protected from such an attack. The system that 
provided conventionally the fire wall (computer that 
has the function of the fire wall in details) as a system 
for protecting such a network in the entrance of the 
network which it is going to protect is known. This 
fire wall prevents that communication of the kind 
which the network administrator etc. defined 
preliminary is performed between that exterior in a 
network, and enables it to perform only the permitted 
other communication between that exterior in a 
network. In this case, specification of the kind of 
communication to prevent is enabled by a transmitting 
agency IP address, destination IP addresses, a 
destination port number, and so on that are included, 
for example in an IP packet. The host that has a 
specific IP address in a network according to such a 
fire wall (computer) or access from the outside to the 
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host's specific port number can be forbidden or access 
to the network from IP addresses other than the 
specific IP address of the network exterior can be 
forbidden. Thus, if the kind of communication data 
that forbids the penetration to a network is 
appropriately set up to the fire wall, it is possible to 
reduce the danger of the attack to a network. 

[003] 

As a system for detecting the attack to such a network, 
the system that provided conventionally the intrusion 
detection system (computer that has in English 
intrusion detection system and the function to detect 
an invader 's communication pattern in detail) in the 
entrance of the network that it is going to protect is 
known. This intrusion detection system detects that 
communication of a pattern peculiar to the aggressor 
of the kind collected preliminary is performed 
between that exterior in a network, and notifies it to 
an administrator. Here, since the detection takes time, 
such as collection of data, and reference of a database, 
it is usually impossible to intercept it based on 
detection of an attack hav ing been delivered or to 
enable it to perform only the permitted other 
communication between the exterior in a network. In 
this case, in order to prevent communication, 
considerably until an IP packet passes, for example 
between short time, since detection specification must 
be enabled by the information that are included in 
communication, in the sniffer that is a tool for the 
usual packet check or BPF (Bakley Packet Filter), it is 
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too late. Thus, being the exterior of the inside of a 
network and a network also by an intrusion detection 
system, and forbidding invasion to a network also by 
a fire wall, cannot be lost, even if it sets up 
appropriately and can reduce the danger of the attack 
to a network. That is, in order to defend by the fire 
wall or an intrusion detection system, each host in the 
network lhat it is going to protect uses what kind of 
information or it had to determine synthetically 
whether it should provide outside and information like 
the throat in a network should be protected or what 
kind of thing was assumed as an attack expected and 
there was an impossible situation also by a remarkable 
skilled technique person depending on the case. 

[004] 

Thus, network management had always taken the 
great labor and cost by a skilled technique person 
accompanied by restoration on condition of being 
attacked. The above conventional fire walls tend to 
eliminate all communications with an offensive 
possibility. Thus, communication of the kind 
forbidden by setting out is uniformly eliminated 
irrespective of whether it is what the communication 
depends on the attack from a cracker. That is, the 
flexibility of communication with a network and the 
exterior is restricted more than needed. For this 
reason, in the network provided with the fire wall, 
restriction of the available informational service on 
the Internet is received. 
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As a result, the inconvenience that many information 
resources on the Internet are unenjoyable useful is 
produced. 

[005] 

[Problems to be solved by the invention] This 
invention is made in view of this background, the 
purpose detects automatically the attack from the 
cracker that it is alike and is received, restricts 
communication more than needed. It is providing the 
cracker monitoring attack interception system that can 
aim at protection of the network to the attack from a 
cracker by a simple system configuration, without 
needing the labor by a skilled technique person. 

[Means for solving the problem] This invention is 
characterized by a cracker monitor system in order to 
attain this purpose including acquiring an IP packet 
that passes through this entrance at an entrance of a 
network which performs communication based on IP 
(Internet Protocol) one by one, and it is held 
cumulatively, an attack detection means to detect an 
attack from a cracker to this network by supervising a 
plurality of held IP packets, a processing means to 
perform predetermined processing according to it 
when this attack detection means detects the 
mentioned above attack. 

[006] 

That is, when an invention in this application person 
examines the technique of various attacks by a 
cracker, generally many kinds of attacks have mutual 
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relevance characteristic of a plurality of IP packets 
that communicate serially in the case of the attack, 
respectively. Thus, an IP packet that passes through 
that can be acquired one by one by the mentioned 
above attack detection means and can be held 
cumulatively at an entrance of the mentioned above 
network, and an attack to the mentioned above 
network by a cracker can be detected in real time by 
supervising a plurality of the held IP packets. And if 
an attack is detectable in this way, protection of a 
network from the attack can be aimed at by 
performing suitable processings (for example, 
information to a network administrator and the like, 
processing that intercepts communication by a 
cracker, and so on) by the mentioned above 
processing means according to it. In this case, in order 
for sufficient accuracy to improve an attack by a 
cracker detection defense, generally in short, 
remarkable high speed is gone on. For this reason, in 
order to detect an attack, an algorithm of a hash table 
is required as a technique that accumulates 
information about an IP packet at high speed. Or if 
treatment for protecting a network by it is performed, 
network damage can fully be suppressed. 

[007] 

What is necessary is to take measures against an 
attack only then, when the detection is made since an 
attack by a cracker is detectable in real time according 
to the system of such this invention. 
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For this reason, the necessity that network 
administrators refer to frequently what is called a log 
file (communication recording book) is reduced. A 
labor that takes an attack by a cracker into 
consideration in prediction in the cases, such as 
network construction and reorganization, is lightened. 
There is no necessity for which an attack is not 
detected of predicting an offensive possibility and 
restricting communication with a network and its 
exterior, at the time, and it can usually raise flexibility 
of the communication. Thus, according to this 
invention, an attack from a cracker to a network is 
detected automatically, and protection of a network to 
an attack from a cracker can be aimed at by a simple 
system configuration, without restricting 
communication more than needed or needing a labor 
by a skilled technique person. In this invention, the 
mentioned above attack detection means constitutes 
all IP packets that pass through an entrance of the 
mentioned above network in ability ready for 
receiving. This becomes possible to detect many kinds 
by a cracker of attacks promptly. Only reception of an 
IP packet constitutes the mentioned above attack 
detection means from this invention possible. 

[008] 

According to this, the existence is not recognized by a 
cracker and the like or the mentioned above attack 
detection means is not made into an offensive object, 
in order not to transmit data of self- information, such 
as self IP address, MAC (Media Access Control) 
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address, and the like to a network. Thus, the safety of 
an attack d etection means can be secured and the 
reliability of a system of this invention can be secured 
by extension. In this invention, the mentioned above 
attack detection means detects an attack of several 
kinds based on the mentioned above algorithm from 
the mentioned above a plurality of IP packets that held 
an algorithm for detecting an attack of several kinds to 
the mentioned above attack of a plurality of kinds, and 
were acquired and held. This is enabled to detect an 
attack of a plurality of kinds depended on a cracker, 
and the safety of the mentioned above network can be 
improved. It becomes possible to correspond also to a 
new kind of attack by updating the mentioned above 
algorithm suitably. In this case, a plurality of IP 
packets that acquired the mentioned above attack 
detection means and were held as a means to classify 
according to a transmitting agency IP address and/or 
destination IP addresses at least, a solid casting type 
list hash method is provided and an attack of the 
mentioned above several kinds is detected from a 
table for a plurality of the classified IP packets. 
[009] 

That is, in order to detect an attack of a plurality of 
kinds, a transmitting agency IP address and 
destination IP addresses (these are given to an IP 
header of an IP packet) of an IP packet serve as an 
important key in many cases. Thus, it becomes easy to 
detect an attack by classifying an IP packet acquired 
in predetermined time according to a transmitting 



10 



agency IP address and/or destination IP addresses and 
holding it from those IP packets. More specifically in 
this invention, the mentioned above attack detection 
means detects an attack by a hash table as follows. A 
hash method (hashing) is a technique for searching 
data at high speed on a memory. Unlike various kinds 
of 3 structures, it can mount easily only in static 
arrangement, and efficiency is very high too. There 
are some techniques of searching data on 
arrangement. Next, it explains sequentially from a 
simple technique and results in explanation of a hash 
method. I will consider a case where certain 
information is processed on a memory. It only decides 
that a number (integer) is used as a key of 
information, and it is carried out to not considering 
others. 

(1) Simple array data 

Stuffing an appearance order of arrangement, but a 
simple and fundamental method, although insertion of 
data is high-speed, since search must be seen 
sequentially from an end (it is called linear search), 
when it averages, processing is needed about a half of 
the data number. Since this technique is late, when 
there are many data numbers, it is as good as ... that is 
not used, but although many programmers learn only 
this method thus, it is used also when there is much 
number of cases actually. 
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(2) Sorted arrangement 

Aligning data on arrangement in order of a key (in 
this case, staff number), if it carries out like this 
insertion of data time starting (mentioned below) , 
since a technique of binary search can be used for 
search at most, it ends by processing of a log (N) time. 
Since it is data of 1 million contacts or log(N) =20, a 
vast quantity of data is very high speeds too. On the 
other hand, cost (processing time) starts maintenance 
of data, a case where the contents of data are fixed 
(example: keyword of Visual Basic . . . print and the 
like), since data can be collectively sorted when a 
phase when it is generated by data, and a phase 
referred to are divided clearly (a line type of DXF, 
and a complex graphic definition), if high-speed 
algorithms, such as quick sort, are used, it will be the 
time and effort of N*log (N). This does not have 
various kinds of tree structures and inferiority. 

However, when using it, collecting data, data must be 
inserted in sorted arrangement, and processing time 
requires an order of a square of N, that is, is late. 

(3) Reverse length table 

It is a premise of small data, it will consider a case 
where a number is an integer of triple figures, as a 
special case. In this case, a number has only 1000 
kind weakness of 001-999. For this reason, 
arrangement of 1000 elements is prepared preliminary 
and there is a method of putting into arrangement by 
making a number into an index. 
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This is called reverse length table, a pseudo code in a 
case of putting in information is as follows. 

master [number] = contents 

Registration and search are high speeds very much, 
and an advantage of reverse length table is that 
processing is also simple. On the other hand, a 
problem is being unable to use, unless the range of a 
key is small. For example, by large data, since a 
number is 9 or more figures, it has 1 billion kinds of 
possibilities, and a reverse length table is not realistic. 
For this reason, a reverse length table is not so 
common. 

(4) Hash table 

A number of large data as mentioned above comes out 
of 9 figures of 1000 numbers. For this reason, if a 
number can be mapped with a suitable function in 0- 
1000 (a margin is seen actually and it takes about 
1 200), a reverse length table can be used. This is 
called hash function and a reverse length table that 
used a hash function is called hash table. There is just 
because it carried out division process of the number 
in size of arrangement as an easy hash function. When 
size of arrangement is set to 1201 now, it is 

h(n) =n mod 1021 (operator that mod asks for a 
surplus). 

Although it is reason to make into the contents of 
master [h (number)] = there is one problem. As an 
example, a number is 850604014, and although 
remainder divided by 1021 is 746, 746 may be not 
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much (hash value) in others. This is called collision. 
Although it is in processing when there is a collision 
variously, there is a method of using the next column, 
and the like as simple management. A hash method 
has the conspicuous feature that time and effort of 
search does not change even if registration and search 
are very efficient and its data volume increases, being 
also alike that it is not concerned but a hash method is 
seldom used in business has many people who do not 
learn a hash method, it carries out and hash on a 
memory is easy on a disk file, reasons of taking time 
and effort are recollected. Although the mentioned 
above hash function is dramatically simple, a device is 
required for a hash function by a character string (for 
example, name) to a slight degree. The following 
functions are used as hash of a character string. 

h=(... ((s [1] *37 + s [2]) *37 + s [3]) *37 ...) s[n] *37 

hash function is a function which makes «a random 
value» from a value of a key, there are an algorithm 
and relation of random number generation. 

The above resembles well the random number 
generating method of a «linear congruential method». 
In other prominent random number generating 
methods can be used as a hash function. Since a hash 
function makes a value that does not overlap as much 
as possible from the original value, it has a case where 
a function similar to a hash function as «electronic 
fingerprints» that shows the feature of data is used. 
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In this case, by actual data, a function from which 
duplication cannot take place probably is devised by 
enlarging the range of function enough and devising a 
function. Electronic fingerprints are used when it is 
shown that data is not altered and they are important 
for electronic commerce technology. Since a hash 
function makes a random value from the original data, 
it may call a kind of encryp tion hash, and comes to 
nuance called hash exactly, but this is inaccurate 
direction for use. 1201 is a prime number, size of a 
table has a preferred prime number. Performance 
changes with capacity factors of a table. In the case of 
80 percent of a capacity factor, it can refer also to the 
simplest method by about an average of three 
operations. Since efficiency will worsen if a hash 
table gets data blocked, when getting it blocked to 
some extent (example: 90% of capacity factor), size of 
a table is enlarged and data may be repacked. This is 
called re-hash . Hash is meaningful in «Chopping up» 
in English, and became the origin of a word of rice 
with hashed meat from hashed beef. 

[010] 

Operation of search is used very frequently in 
programming, when there is comparatively little target 
data volume, even if it investigates in order simply, 
speed which is not is obtained by the latest high-speed 
machine. Speed is dramatically important, when data 
volume needs to be becoming large or it is necessary 
to search frequently. 
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There is very much literature about search and 
detailed explanation is good to have literature seen. It 
is shown briefly that it is needed for making a 
realization program for the time being here. 

What it happens to think as calling it linear search of 
first of all is this method, and finds a thing which 
wants to access data in an order from a head, and to 
look for it simply. Merits of this method are a point 
that may be scattering and a point that it can 
understand immediately easily and can be made. It is 
necessary to align data before search in binary search 
that comes out later. If a demerit has a thing which 
speed is a point late in many cases, and wants to look 
for it to a direction of a head of data, it is quick, but 
when the worst, all the data will be seen. Thus, a 
problem of speed becomes larger as there is much 
data volume. A function of the linear search lsearch() 
and lfind() is in a library of C. 

A method that is the most popular among binary 
search programmers can perform high-speed search 
only by comparatively easy preparation compared 
with a previous linear search. Here, it sees from 
usage. As for binary search, data needs to be sorted by 
ascending order as conditions. Although this becomes 
a neck of this method in fact, data is co mparatively 
fixed, and it is good, when it sorts once, the rest 
repeats search and it is the mentioned above that it 
carries out. 
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However, since it must sort whenever data changes 
when both of change and addition of search and data 
are frequent, a phenomenon in which take time of 
sorting and it synthetic completely is not quick 
however quick search may be may also happen. It 
needs to be cautious of this point enough , sorting 
generally takes time rather than search. Since it 
searches by sensibility that a hit is attached and 
compared suitably (per middle) and per front middle 
will compare from it if larger than an object since data 
is sorted as structure, it is not necessary to see all the 
data. Data is sorted first, a comparison function used 
at this time and a comparison function used by search 
are meaningless if the same thing is not used. To 
sorted data, if found, the address will return. When 
not found, Null returns. When found, it is indicating 
how many of arrangement it is. It is convenient, when 
it is used for generally looking for an array of 
structures and the like, it refers to a member of a 
structure and it obtains an object. Since a result is 
obtained without seeing all the data, this retrieval 
system is a high speed compared with previous 
linearity search. Although sorting is a problem, and 
there are various algorithms also in sorting, quick sort 
generally used here is easy, and a high speed. 
However, when an omnipotent thing does not have 
sorting, either and it is characteristic along data of a 
basis, an algorithm that suited it should be used. 
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Point of quick sort sorted at high speed on the average 
without being comparatively dependent on 
distribution of data may be convenient, and it is used. 
In a hash search hash search, the search itself is a high 
speed overwhelmingly. When data is stored in a table 
as structure, a key is assigned by an easy formula, and 
data is stored in a place which can fly direct by the 
key. A key is calculated by same formula in the case 
of search, and it obtains the place direct. For example, 
what added all codes of the character string is a key to 
store a character string. Since a table for storing 
cannot usually be taken indefinitely, remainder that 
divided what was added altogether by the number of 
tables is used as an actual key. Since there is a 
possibility of enough that a key will overlap, in order 
to correspond to it, a method which makes a storage 
location arrangement form or has looked for a table 
vacant from the key enough in order, and carries out it 
is taken. A character string to store in a table is passed 
by an argument, and a key of a storage location 
returns. If the key is passed, a character string will 
return. A character string is passed, it investigates 
whether it exists in a table, and a key will be returned 
if it exists. If these are used, management becomes 
possible by making a character string into a numerical 
value, and a character string without length 
restrictions can be treated as an integer in a program. 
Since the only key is certainly assigned to a certain 
character string, comparison etc. can be performed 
with a value of the key. 
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A number of the array at the place by just because it 
added all character codes of a character string and 
broke by a size of an array is collectively used as a 
key. Once, 0 is using a value carried out +1, in order 
to use for an error judging. Thus, since it flies to a 
storage location only by calculating a key in a hash 
search, even if the number of anything of data 
increases, time of search does not change. 

If the number of arrangement of a calculation place of 
the first key increases in the case of reverse search 
and registration, it will come to take time gradually, 
but if dispersibility is still improved by calculation of 
the first key, unless it inclines not much fatally, speed 
does not become slow so much. Although there is also 
an individual field that it is better not to carry out or 
management is difficult and deletion is also 
impossible, in a hash search, overwhelming strength is 
shown on coding of a character string that was 
especially described above. It is the optimal when 
registered contents do not need to be changed. The 
function hsearch() is prepared for a library of C, and 
there is also dissatisfaction, such as a point that only 
one can have a table. Although a loop is used in a 
place which calculates a key, the number of times of 
the loop there is reduced and improvement in the 
speed is possible too. Although a linear search binary 
search hash search was taken up here, there are still 
various algorithms, such as search using data of a tree 
structure. 



19 



Since there is no omnipotent thing, when high-speed 
search is needed, it is necessary to fully inquire from a 
data structure and to use the optimal search. In order 
to correspond to various search, various kinds of 
tables only for search have been prepared, but if time 
and effort that also updates a table for search 
collectively, and memory usage of the table itself are 
considered when data is updated, a method for post- 
installation is almost ineffective in many cases. 

[Oil] 

We will consider an attack concrete next. First, there 
is an attack of a kind generally called port scan (Port 
Scan) as an attack of the 1st kind by a cracker. 
Although this attack does not do direct damage to a 
network, it is used as an attack of that preceding 
paragraph story in many cases. In this attack, a 
cracker carries out repeating transmission of the IP 
packet from a host under own management to a 
network of a target of attack, changing suitably 
destination IP addresses and a destination port number 
in a packet. And a response to those IP packets is 
observed by the mentioned above host. This searches 
for an IP address and a port number that are used for 
communication with the exterior without receiving 
restriction by a fire wall in a network of a target of 
attack. Here, the mentioned above port number is data 
that expresses service kinds (for example, telnet, ftp, 
smtp, tftp and so on) of application software that 
operates on TCP or UDP, and is given to a TCP 
header or an UDP header in an IP packet. In this kind 
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of attack, transmission of the above IP packets, 
usually, it is carried out using exclusive use tool 
software, and destination IP addresses differ from a 
port number mutually to a network of a target of 
attack, and many IP packets whose transmitting 
agency IP address is the same are comparatively 
transmitted into a short time. Then, inside of a 
plurality of the mentioned above IP packets that 
acquired the mentioned above attack detection means 
and were held in this invention, they are a plurality of 
IP packets transmitted to the mentioned above 
network into predetermined time from the exterior, a 
transmitting former IP address is mutually the same at 
least, and, in more than a predetermined number, that 
from which destination IP addresses or a destination 
port number differs mutually detects that the 
mentioned above attack of the 1st kind was made at a 
certain time. Thus, an attack of the 1 st kind called port 
scan is certainly detectable. Next, there is an attack of 
a kind generally called Syn-flood as an attack of the 
2nd kind by a cracker. This attack brings down a 
specific host in a network using the characteristic of 
TCP. That is, in TCP, when communicating between 
2 hosts, establishment processing of a logical 
connection is first performed among both hosts. In 
this connection establishment processing, an IP packet 
for Syn is transmitted from one host to a host of 
another side. This IP packet for Syn will be an IP 
packet that made the mentioned above one host's IP 
address, and an IP address of a host of another side a 
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transmitting agency IP address and destination IP 
addresses, respectively here, if it is the mentioned 
above in detail, only a Syn bit of a TCP header in the 
packet and a Syn bit of the Ack bits are set to «1». 

And in connection establishment processing, a host of 
another side who received this IP packet for Syn 
transmits an IP packet for Syn/Ack to the mentioned 
above one host. Here this IP packet for Syn/Ack, in 
detail, it is the IP packet that made an IP address of a 
host of the mentioned above another side, and one 
host's IP address a transmitting agency IP address and 
destination IP addresses, respectively, and both Syn 
bits and Ack bits of a TCP header in the packet are set 
to «1». The mentioned above one host that received 
this IP packet for Syn/Ack in connection 
establishment processing, an IP packet for Ack is 
transmitted to a host of the mentioned above another 
side, and establishment of a logical connection 
between both hosts is made because a host of the 
mentioned above another side receives this IP packet 
for Ack. The the mentioned above Ack IP packet is an 
IP packet that has same transmitting agency IP 
address and destination IP addresses as the mentioned 
above IP packet for Syn in detail, and sets only a Syn 
bit of a TCP header in the packet, and an Ack bit of 
the Ack bits to «1». 

[012] 

The mentioned above Syn-flood is the attack using the 
characteristic of such TCP. In this attack, a cracker 
transmits many IP packets for Syn to within a 
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comparatively short time to a specific host of a 
network of a target of attack. And even if an IP packet 
for Syn/Ack is transmitted from the mentioned above 
specific host to each of those IP packets for Syn, an IP 
packet for Ack is not transmitted to the specific host. 

When such an attack is made, the mentioned above 
specific host, after transmitting an IP packet for 
Syn/Ack to an IP packet for Syn transmitted first, 
predetermined time (generally 2 minutes) will be in a 
reception waiting state of the packet for Ack, unless a 
packet for Ack is transmitted to within the time. And 
whenever the new packet for Syn is transmitted in this 
state, the mentioned above specific host accumulates 
information on that new packet for Syn in a buffer 
space for communications processing that connection 
establishment processing according to the new packet 
for Syn should be completed in order. When there is a 
limit in a size of a buffer space and this buffer space 
fills, it becomes impossible however, for the 
mentioned above specific host to perform 
communications processing of TCP, and service 
processing on TCP. By this, a specific host will be 
downed. In this kind of attack (Syn-flood), 
comparatively many IP packets for Syn are 
transmitted to within the above comparatively short 
time to a specific host (host who has a specific IP 
address) in a network of a target of attack. According 
to this, many IP packets for Syn/Ack are transmitted 
to within a comparatively short time toward the 
network exterior from the specific host concerned. 
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A packet for Ack that should be eventually 
transmitted to the mentioned above specific host 
corresponding to those IP packets for Syn or an IP 
packet for Syn/Ack is not transmitted to the specific 
host. Next, inside of a plurality of the mentioned 
above IP p ackets that acquired the mentioned above 
attack detection means and were held in this 
invention, they are a plurality of IP packets for Syn 
based on TCP (Transmission Control Protocol) 
transmitted to the mentioned above network into 
predetermined time from the exterior, in more than a 
predetermined number, the same thing mutually at 
least the destination IP addresses and when it has 
same transmitting agency IP address and destination 
IP addresses as each of that IP packet for Syn and an 
IP packet for Ack based on the mentioned above TCP 
is not acquired in the mentioned above predetermined 
time, it detects that the mentioned above attack of the 
2nd kind was made. Or inside of a plurality of of the 
mentioned above IP packets that acquired the 
mentioned above attack detection means and were 
held, they are a plurality of IP packets for Syn/Ack 
based on TCP (Transmission Control Protocol) 
transmitted to the exterior into predetermined time 
from the mentioned above network, in more than a 
predetermined number, the same thing mutually at 
least, respectively, a transmitting former IP address 
and when what is an IP packet for Ack based on the 
mentioned above TCP, and has the respectively same 
destination IP addresses as a transmitting agency IP 
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address of each of the mentioned above IP packet for 
Syn/Ack and destination IP addresses and a 
transmitting agency IP address is not acquired in the 
mentioned above predetermined time, it detects that 
the mentioned above attack of the 2nd kind was made. 
Thus, an attack of the 2nd kind called Syn-flood is 
certainly detectable. 

Next, there is an attack of a kind generally called 
Teardrop as an attack of the 3rd kind by a cracker. 
This attack brings down a specific host in a network 
using the characteristic of processing according to 
separate control (what is called an IP fragment) of an 
IP packet. That is, an IP packet is a process in which 
an Internet top is transmitted via a router, and may be 
divided for administrative purposes on a relation of 
data processing capacity of each router. Since an error 
arises when an IP packet is transmitted in each router, 
in such a case, a router broadcasts an IP packet again. 
For this reason, in a host of destination IP addresses of 
an IP packet, some same IP packets divided for 
administrative purposes that it is received by more 
than one. Since it is such, in communication based on 
IP, when a received IP packet is divided for 
administrative purposes, a host (host of destination IP 
addresses) that receives an IP packet eventually does 
accumulation maintenance of the IP packet of each 
divided part until it receives an IP packet of all the 
remaining separate control portions. And after 
receiving an IP packet of all the separate control 
portions, processing which arranges them and restores 
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data of the original IP packet is performed. The 
mentioned above Teardrop is the attack using the 
characteristic of processing according to separate 
control of such an IP packet. In this attack, a cracker 
transmits an IP packet of the remaining separate 
control portion to that specific host, after transmitting 
an IP packet of many same separate control portions 
to a specific host of a network of a target of attack 
within a comparatively short time. When such an 
attack is made, the mentioned above specific host, 
when an IP packet of the remaining separate control 
portion is received eventually, in order to perform 
processing that is going to restore data of the original 
IP packet from the IP packet and an IP packet of a lot 
of divided parts transmitted previously, the processing 
takes a long time. For this reason, this specific host 
will be downed as a matter of fact. In this kind of 
attack (Teardrop), an IP packet of many same separate 
control portions is transmitted to a specific host in a 
network like the mentioned above within a 
comparatively short time. Then, inside of a plurality 
of the mentioned above IP packets which acquired the 
mentioned above attack detection means and were 
held in this invention, it is the divided IP packet of 
plurality transmitted to the mentioned above network 
into predetermined time from the exterior, and, in 
more than a predetermined number, the same divided 
part detects that the mentioned above attack of the 3rd 
kind is made at a certain time. 
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Thus, an attack of the 3rd kind called Teardrop is 
certainly detectable. Next, there is an attack of a kind 
generally called Land as an attack of the 4th kind by a 
cracker. This attack is an attack a transmitting agency 
IP address and whose destination IP addresses are the 
same and which transmits an impossible IP packet to a 
specific host of a network of a target of attack 
regularly. A specific host to whom such an IP packet 
was transmitted takes time in processing of the IP 
packet in many cases and it is often downed. 

[013] 

In this kind of attack, an IP packet with same 
transmitting agency IP address and destination IP 
addresses is transmitted to a specific host in a network 
like the above. And generally such an IP packet is 
transmitted to plurality and the mentioned above 
specific host within a comparatively short time. Next, 
inside of a plurality of the mentioned above IP packets 
that acquired the mentioned above attack detection 
means and were held in this invention, it is a plurality 
of IP packets transmitted to the mentioned above 
network into predetermined time from the exterior, 
and, in more than a predetermined number, that from 
which a transmitting former IP address is destination 
IP addresses and the same address detects that the 
mentioned above attack of the 4th kind is made at a 
certain time. Thus, an attack of Land and the 4th kind 
breaking is certainly detectable. 
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Generally an attack called Syn-flood, Teardrop and 
Land that were mentioned above belongs to an attack 
of a kind called DoS (Denial of Service). And this 
DoS includes an attack of a kind called Smurf other 
than Syn-flood, Teardrop, and Land, for example, an 
attack of a kind called Floodie and the like. Although 
Syn-flood, Teardrop and Land were typically 
mentioned as an attack of a kind belonging to DoS in 
this specification, it is also possible to detect an attack 
of Smurf, Floodie and so on. In this invention 
provided with an attack detection means to detect an 
attack by a cracker as mentioned above, processing 
that the mentioned above processing means performs 
is processing which generates a report and output 
showing the mentioned above attack having been 
detected, for example. By generating of this report 
and output, a network administrator or an external 
technician becomes possible taking a measure for 
eliminating a detected attack. Or processing that the 
mentioned above processing means performs is 
processing that carries out predetermined time 
inhibition of the penetration to the mentioned above 
network of an IP packet that has a specific 
transmitting agency IP address and/or destination IP 
addresses according to the mentioned above attack 
that the mentioned above attack detection means 
detected after detecting the mentioned above attack. 
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[014] 

A hash method with time cue is used as a high-speed 
search algorithm. The concrete feature was shown on 
the following examples. On the other hand, kernel- 
coding of LINUX was adopted as a coding method. 
Thus, a function of OS was not used, but a program 
that carries out a direct interface and an exchange was 
produced. Although development will take this most 
time, a made soft speed became very high. Generally, 
exchanges with an interface are main work of OS, and 
the user of OS can receive offer as a subroutine to 
which an interface was attached in it. Next, for 
example, it was not opened to the usual UNIX 
(registered trademark) user, it becomes unnecessary to 
also have accessed memory management information, 
but since speed was thought as important, a code that 
carries out a direct drive was produced here. For the 
purpose of managing the various whole hardware 
environments efficiently, in order to specialize in a 
promising, but single function and to raise 
performance, the necessity of avoiding comes out of 
OS. In the conventional similar art, it became a low 
speed efficiently instead of the ability of development 
to be comparatively managed in a short time since the 
development so far is not performed. This time, it is 
the portion begun and developed in the world. If it is 
only mere detection, it is because it was unnecessary, 
because the rapidity so far was enough when it left 
record at the latest within time 
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(for example, 1 to 2 seconds) of a grade sufficiently 
early for human when it was seen from machinery. 
This time, since we needed to judge and intercept at 
time (about 1 / 1000 seconds) until a packet passes, 
we could not but prepare a high-speed algorithm and a 
high-speed program execution system. And a product 
that employed processing in full efficiently at high 
speed is done. In others, a function in which a table of 
a hash value changes with time exists. Information on 
an old packet is extinguished automatically. In order 
to oppose an attack of the Internet, and an attack that 
is called DoS especially as for it, the ability to respond 
to a certain amount of number of attack packets is 
needed for within the fixed time. A role that time cue 
plays is important. In too much a long time between 
each packet, since an offensive effect as DoS fades, 
setting out of elimination is needed. 

[015] 

[Embodiment of the invention] One embodiment of 
this invention is described with reference to drawing 
1 . Drawing 1 is a system configuration drawing of this 
embodiment. In drawing 1 , 1 is LAN as a network. 
This LAN 1 is built, for example using Ethernet 
(registered trademark) and a plurality of hosts 
(computer) that omit a graphic display are connected 
via the Ethernet cable, a hub and the like. The 
Ethernet card that connects it to the Ethernet cable at 
each host, software for processing TCP/IP and various 
application software (for example, telnet, ftp, smtp, 
and so on) that functions on TCP/IP are mounted, and 
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communication based on IP is enabled. LAN 1 may 
be built with other embodiments, such as what not 
only was built on Ethernet, but a token ring. In the 
system of this embodiment, the computer 2 (this 
computer 2 is only next called the fire wall 2) that has 
the function of the fire wall as a packet filter is formed 
in the entrance of LAN 1 . And LAN 1 is connected to 
the Internet 3 via the fire wall 2. The fire wall 2 has a 
file (next a filter configuration file) in which the data 
that specifies whether the penetration to LAN 1 of 
what kind of kind of IP packet is forbidden is written. 
And the fire wall 2 is this filter configuration file, 
when the IP packet of the kind to which the 
penetration to LAN 1 was forbidden has been 
transmitted from the Internet 3 side, discards that IP 
packet and prevents the penetration to LAN 1 . 

When the IP packet to which the penetration to LAN 
1 is not forbidden has been transmitted by the filter 
configuration file, it is transmitted to LAN 1 . The hub 
4 is infixed between the fire wall 2 and the Internet 3, 
and the sensor 5 that has the function of the attack 
detection means is connected to this hub 4. The 
director 6 that has a function of a processing means to 
control the mentioned above fire wall 2 is connected 
to this sensor 5. These sensors 5 and directors 6 are 
constituted by the computer, respectively. The 
mentioned above sensor 5 is constituted by the UNIX 
machine and connected to the mentioned above hub 4 
by the Ethernet card 7. 
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In this case, software called tcpdump is mounted in 
the sensor 5. By this tcpdump, all IP packets that pass 
along the hub 4 are acquirable via the Ethernet card 7 
(a hearing is carried out). Such operation is called 
promise cast mode in many cases. And the sensor 5 is 
made to carry out the hold stores of each acquired IP 
packet to the hard disk that is not represented with the 
time information at the acquisition time. When the 
total amount of the IP packet which carried out hold 
stores to the hard disk reaches a predetermined 
permissible dose, the sensor 5 eliminates the oldest IP 
packet and carries out the hold stores of the newly 
acquired IP packet to a hard disk. The sensor 5 does 
not have an IP address, but ARP (Address Resolution 
Protocol), even if packets to which a response is 
urged, such as a packet of RARP (Reverse Address 
Resolution Protocol), are transmitted, it is set up by 
software not carry out the response to it. 

That is, the sensor 5 performs only reception 
(incorporation) of an IP packet and can carry out 
software (following and attack detection algorithm) 
for detecting the attack of the 1 st - the 6th kind that 
were mentioned above is mounted in the sensor 5. 
This attack detection algorithm is mounted in the 
director 6, and it may be made to make this attack 
detection algorithm process in the sensor 5, 
performing data transfer with this director 6. Software 
(next a filter control algorithm) that controls the 
mentioned above fire wall 2 is mounted in the 
mentioned above director 6. 



In this case, according to the attack detected by the 
sensor 5, a filter control algorithm is rewriting the 
data of the mentioned above filter configuration file 
suitably and controls the mentioned above fire wall 2. 

[016] 

Next, the operation of this embodiment of this is 
explained. The mentioned above sensor 5 performs 
the following processings for every predetermined 
cycle time, carrying out the hold stores of the IP 
packet acquired to a hard disk like the mentioned 
above. That is, after classifying a plurality of IP 
packets for a predetermined time interval according to 
the value of a transmitting agency IP address and 
destination IP addresses from a hard disk, the sensor 5 
is incorporated into the memory that is not 
represented and is held. That is, put together what has 
the same transmitting agency IP address among a 
plurality of IP packets for a predetermined time 
interval, and a thing with the same destination IP 
addresses is put together, and it incorporates into a 
memory (in the following explanation, the group of 
the IP packet put together in this way is called IP 
packet group). And after processing the attack 
detection mentioned later to a plurality of IP packets 
incorporated into this memory, those IP packets are 
eliminated from a memory. In this case, in each cycle 
time, the IP packet incorporated into a memory is 
acquired from the acquisition times of the oldest IP 
packet of the IP packets incorporated into the memory 
in the last cycle time after the time which went 
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through predetermined time. Processing of the attack 
detection by the sensor 5 in each cycle time is 
performed as follows according to an attack detection 
algorithm. The sensor 5 delivers first an attack of the 
1 st kind, namely, the processing which detects port 
scan, the mentioned above 1 st- 6th among the attacks 
of the kind. A transmitting agency IP address is the 
same among the IP packets that incorporated the 
sensor 5 into the memory as mentioned above in this 
processing, and the value (this is a value of the IP 
address belonging to LAN 1) of all the destination IP 
addresses which the IP packet by which this 
transmitting agency IP address is included in each of 
that IP packet group to each IP packet group which is 
a thing of the exterior of LAN 1 has is extracted. And 
each value of the destination IP addresses extracted by 
each of the mentioned above IP packet groups is 
received from the IP packet group (IP packet group of 
the same transmitting agency IP address). The number 
of the IP packet which it has the same destination IP 
addresses as the value of these destination IP 
addresses, and the destination port numbers in a TCP 
header or an UDP header differed mutually and was 
acquired in the continuous predetermined time (for 
example, inside of 30 seconds) is counted. When this 
count number reaches a predetermined number (for 
example, 20 pieces) at this time, the sensor 5 detects 
that the attack of port scan is made. 
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And the data in which that is shown, and the value 
data of the transmitting agency IP address of the IP 
packet group as which this attack was detected are 
given to the mentioned above (these data is next 
called 1st kind attack detection data) director 6. Such 
processing has the same transmitting agency IP 
address, and this transmitting agency IP address is 
performed one by one to all the IP packet groups that 
do not belong to LAN 1 . Although the port number 
counted the number of a mutually different IP packet 
in detection of the port scan in this embodiment, it 
may be made to detect port scan by the following 
processings. That is, a transmitting agency IP address 
is the same, and the value of all the destination port 
numbers which the IP packet contained in each of that 
IP packet group has is extracted to each IP packet 
group in which this transmitting agency IP address is 
a thing of the LAN 1 exterior. To each value of the 
extracted destination port number from the IP packet 
group which extracted this destination port number. 
The number of the IP packet that it has the same 
destination port number as the value of this 
destination port number, and destination IP addresses 
differed mutually and was acquired in the continuous 
predetermined time is counted. And when the count 
number reaches a predetermined number, it detects 
that port scan is performed. On the other hand, the 
mentioned above director 6 that was able to give the 
above 1st kind attack detection data from the sensor 5, 
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the filter configuration file of the mentioned above 
fire wall 2 is rewritten so that predetermined time (for 
example, for 5 minutes) inhibition of the IP packet 
that has the same transmitting agency IP address as 
the transmitting agency IP address included in this 1 st 
kind attack detection data advancing into LAN 1 may 
be carried out from the present. If the IP packet in 
which the fire wall 2 has the mentioned above 
transmitting agency IP address at this time is 
transmitted from the Internet 3, that IP packet will be 
discarded and the penetration to LAN 1 will be 
prevented. Thus, LAN 1 is protected from the attack 
of port scan. By the time the mentioned above 
predetermined time (for 5 minutes) passes, the 
director 6, if the same 1 st kind attack detection data as 
the 1st kind attack detection data given previously is 
again given from the sensor 5, the fire wall 2 is 
controlled to prevent the penetration to LAN 1 of the 
IP packet from the transmitting agency IP address of 
the mentioned above predetermined time (for 5 
minutes) and this 1 st kind attack detection data from 
the point in time. Thus, as long as the attack of port 
scan continues, the IP packet from a transmitting 
former IP address cannot advance into LAN 1 . 

And the director 6 cancels inhibition of the 
penetration to LAN 1 of the IP packet from the 
transmitting agency IP address of the 1st kind attack 
detection data, when the mentioned above 1 st kind 
attack detection data is not given, by the time the 



mentioned above predetermined time (for 5 minutes) 
passes. The sensor 5 that performed detection 
processing of the attack of port scan as mentioned 
above performs detection processing of an attack 
(Syn-flood) of the 2nd kind next. 

[017] 

In this processing, the sensor 5 extracts the IP packet 
for Syn by which destination IP addresses are 
included in this IP packet group to each IP packet 
group of the destination IP addresses that belong to 
LAN 1 among the same IP packet groups one by one 
in order of those acquisition times, and extracted 
every IP packet for Syn acquired from the acquisition 
times of the IP packet for Syn in predetermined time 
(for example, for 2 seconds) investigates whether it 
exists in the IP packet group of the same destination 
IP addresses. And when such an IP packet for Syn 
exists, the number of those IP packets for Syn 
including the IP packet for Syn extracted previously is 
counted. Each of the counted IP packet for Syn is 
received, the IP packet for Ack corresponding to each 
(the same detailed transmitting agency IP address as 
this IP packet for Syn) and it is an IP packet for Ack 
that has the next sequence number of the sequence 
number in the TCP header of this IP packet for Syn, 
and what was acquired from the acquisition times of 
this IP packet for Syn in the mentioned above 
predetermined time (for 2 seconds) investigates 
whether it exists in the IP packet group of the same 
destination IP addresses. 
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When such an IP packet for Ack exists at this time, 
the mentioned above count number is decreased by 
«1» every each time. And when finishing 
investigating existence of the corresponding IP packet 
for Ack eventually and the mentioned above count 
number is more than a pred etermined number (for 
example, 16 pieces). The data that detects that the 
attack of Syn-flood is made and in which that is 
shown, the value data of the transmitting agency IP 
address of the IP packet for Syn as which this attack 
was detected, and the value data of destination IP 
addresses are given to the mentioned above (these 
data is next called 2nd kind attack detection data) 
director 6. Such processing has the same destination 
IP addresses, and these destination IP addresses are 
performed one by one to all IP packet groups 
belonging to LAN 1 . Although Syn-flood was 
detected based on the number of the IP packet for 
Syn, it may be made to detect Syn-flood by the 
following processings in this embodiment. 

That is, a transmitting agency IP address is the same, 
and the IP packet for Syn/ Ack contained in this IP 
packet group is extracted one by one in order of the 
acquisition times to each IP packet group to which 
this transmitting agency IP address belongs to LAN 1 . 
And extracted every IP packet for Syn/Ack acquired 
from the acquisition times of the IP packet for 
Syn/Ack in predetermined time (for example, for 2 
seconds) investigates whether it exists in the IP packet 
group of the same transmitting agency IP address. 
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When such an IP packet for Syn/Ack exists at this 
time, the number of those IP packets for Syn/Ack 
including the IP packet for Syn/Ack extracted 
previously is counted. The IP packet group of the 
same destination IP addresses as the transmitting 
agency IP address of this IP packet for Syn/Ack is 
investigated to each of the counted IP packet for 
Syn/Ack. The IP packet for Ack corresponding to this 
IP packet for Syn/Ack at this time (the same detailed 
destination IP addresses as the transmitting agency IP 
address of this IP packet for Syn/Ack) and it is an IP 
packet for Ack that has the next Ack number of the 
sequence number in the TCP header of this IP packet 
for Syn/Ack, and what was acquired from the 
acquisition times of this IP packet for Syn/Ack in the 
mentioned above predetermined time (for 2 seconds) 
investigates whether it exists in the IP packet group 
concerned. And when such a packet for Ack exists, 
the mentioned above count number is decreased by 
«1» every each time. And when finishing 
investigating existence of the corresponding IP packet 
for Ack eventually and the mentioned above count 
number is more than a predetermined number (for 
example, 16 pieces), it detects that the attack of Syn- 
flood is made. 

[018] 

The data given to the director 6 from the sensor 5 in 
this case is data in which hav ing detected the attack of 
Syn-flood is shown, value data of the transmitting 
agency IP address of the mentioned above IP packet 
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for Syn/Ack, and value data of destination IP 
addresses. In this case, the value data of the 
transmitting agency IP address of the IP packet for 
Syn/Ack and the value data of destination IP 
addresses, respectively, it is equivalent to the value 
data of the IP packet destination IP addresses for Syn 
in the mentioned above 2nd kind attack detection data 
explained previously and the value data of a 
transmitting agency IP address. On the other hand, the 
mentioned above director 6 that was able to give the 
above 2nd kind attack detection data from the sensor 
5, the filter configuration file of the mentioned above 
fire wall 2 is rewritten, so that predetermined time (for 
example, for 2 minutes) inhibition of the IP packet 
that has the same transmitting agency IP address as 
the transmitting agency IP address included in this 
2nd kind attack detection data advancing into LAN 1 
may be carried out from the present. Simultaneously, 
the director 6 rewrites the filter configuration file of 
the fire wall 2 so that predetermined time (for 
example, for 2 seconds) inhibition of the IP packet 
that has the same destination IP addresses as the 
destination IP addresses included in the 2nd kind 
attack detection data advancing into LAN 1 may be 
carried out from the present. If the IP packet in which 
the fire wall 2 has the mentioned above transmitting 
agency IP address at this time or the IP packet that has 
the mentioned above destination IP addresses is 
transmitted from the Internet 3, 
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that IP packet will be discarded and the penetration to 
LAN 1 will be prevented. Thus, LAN 1 is protected 
from the attack of Syn -flood, and it can return to an 
all seems well, without downing the host of the IP 
address made into the object of this attack. 

Like the case at the time of detection of port scan, the 
director 6, by the time the mentioned above 
predetermined time (for 2 minutes) according to 
exclusion of the IP packet which has a transmitting 
agency IP address in the 2nd kind attack detection 
data passes, if the same 2nd kind attack detection data 
as the 2nd kind attack detection data given previously 
is again given from the sensor 5, the fire wall 2 is 
controlled to prevent the penetration to LAN 1 of the 
IP packet from the transmitting agency IP address of 
the mentioned above predetermined time (for 2 
minutes) and this 2nd kind attack detection data from 
the point in time. This is the same also about 
exclusion of the IP packet which has the destination 
IP addresses in the 2nd kind attack detection data. 
Thus, as long as the attack of Syn-flood continues, the 
IP packet from the transmitting agency IP address 
according to the attack or the IP packet to the 
destination IP addresses according to the attack cannot 
advance into LAN 1 . And the director 6 about all of 
exclusion of the IP packet that has a transmitting 
agency IP address in the 2nd kind attack detection 
data and exclusion of the IP packet which has the 
destination IP addresses in the 2nd kind attack 
detection data. 
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By the time the mentioned above predetermined time 
(for 2 minutes, for 2 seconds) corresponding to each 
passes, when the mentioned above 2nd kind attack 
detection data is not given, inhibition of th e 
penetration to LAN 1 of the IP packet that has a 
transmitting agency IP address of the 2nd kind attack 
detection data or the IP packet that has destination IP 
addresses of the 2nd kind attack detection data is 
canceled. The sensor 5 which performed detection 
processing of the attack of Syn -flood as mentioned 
above performs detection processing of an attack 
(Teardrop) of the 3rd kind next. In this processing, the 
sensor 5 extracts the IP packet (only next a separate 
control packet) by which destination IP addresses are 
included in this IP packet group to each IP packet 
group of the destination IP addresses that belong to 
LAN 1 among the same IP packet groups and which 
was divided for administrative purposes one by one. 
In this case, in IP, the specific flag in that IP header is 
«1» or the separate control packet serves as a value 
with bigger data called fragmentation offset than «0». 
Thus, a separate control packet can be found out and 
the sensor 5 is acquired from the acquisition times of 
each extracted separate control packet in 
predetermined time (for example, for 5 minutes), and 
what has respectively same IP identification number 
in this separate control packet and an IP header and 
value of fragmentation offset 
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(the same separate control packet as the extracted 
separate control packet) investigates whether it is in 
the same IP packet group as this separate control 
packet. When there is such a separate control packet 
at this time, the number of those separate control 
packets including the separate control packet 
extracted previously is counted. 

And when this count number is more than a 
predetermined number (for example, 80 pieces), it 
detects that the attack of Teardrop is made and the 
data in which that is shown and the value data of the 
transmitting agency IP address of the separate control 
packet as which this attack was detected and the value 
data of destination IP addresses are given to the 
mentioned above director 6 (these data is next called 
3rd kind attack detection data). Such processing has 
the same destination IP addresses, and these 
destination IP addresses are performed one by one to 
all the IP packet groups belonging to LAN 1 . 

On the other hand, the mentioned above director 6 
that was able to give the above 3rd kind attack 
detection data from the sensor 5 does firewall control 
in the completely same way as the case where the 
mentioned above Syn-flood is detected. That is, the 
filter configuration file of the mentioned above fire 
wall 2 is rewritten, so that predetermined time (for 2 
minutes) inhibition of the IP packet which has the 
same transmitting agency IP address as the 
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transmitting agency IP address included in the 3rd 
kind attack detection data advancing into LAN 1 may 
be carried out from the present. The filter 
configuration file of the fire wall 2 is rewritten so that 
predetermined time (for 2 seconds) inhibition of the 
IP packet that has simultaneously the same destination 
IP addresses as the destination IP addresses included 
in the 3rd kind attack detection data advancing into 
LAN 1 may be carried out from the present. 

Thus, LAN 1 is protected from the attack of Teardrop 
and it can return to an all seems well, without 
downing the host of the IP address made into the 
object of this attack. 

[019] 

The sensor 5 that performed detection processing of 
the attack of Teardrop as mentioned above performs 
detection processing of an attack (Land) of the 4th 
kind next. In this processing, the sensor 5 extracts the 
IP packet which has a transmitting agency IP address 
of the same value as the d estination IP addresses of 
each IP packet group to this IP packet group of the 
destination IP addresses that belong to LAN 1 among 
IP packet groups with same destination IP addresses. 
It is investigated whether the IP packet that has the 
same transmitting agency IP address as this IP packet, 
and was acquired from the acquisition times of this IP 
packet in predetermined time (for example, for 2 
minutes) exists out of the IP packet group of the same 
destination IP addresses as the extracted IP packet. 



44 



And when such an IP packet exists, the number of this 
IP packet of those IP packets including the IP packet 
extracted previously is counted. When this count 
number is more than a predetermined number (for 
example, 6 pieces) at this time, it detects that the 
attack of Land is made and the data in which that is 
shown, and the value data of the transmitting agency 
IP address of the IP packet as which this attack was 
detected are given to the mentioned above (these data 
is next called 4th kind attack detection data) director 
6. Such processing has the same destination IP 
addresses, and these destination IP addresses are 
performed one by one to all the IP packet groups 
belonging to LAN 1 . On the other hand, the 
mentioned above director 6 that was able to give the 
above 4th kind attack detection data from the sensor 
5, it has the same transmitting agency IP address as 
the transmitting agency IP address included in the 4th 
kind attack detection data, and the filter configuration 
file of the mentioned above fire wall 2 is rewritten so 
that predetermined time (for example, for 3 minutes) 
inhibition of the IP packet that has the same 
destination IP addresses as this transmitting agency IP 
address advancing into LAN 1 may be carried out 
from the present. If the IP packet in which the fire 
wall 2 has the mentioned above transmitting agency 
IP address and destination IP addresses at this time is 
transmitted from the Internet 3, that IP packet will be 
discarded and the penetration to LAN 1 will be 
prevented. 



Thus, LAN 1 is protected from the attack of Land. In 
this case, like the case at the time of detection of port 
scan the director 6, by the time the mentioned above 
predetermined time (for 6 minutes) according to 
exclusion of the IP packet that has the same 
transmitting agency IP address and destination IP 
addresses as the transmitting agency IP address in the 
4th kind attack detection data passes, if the same 4th 
kind attack detection data as the 4th kind attack 
detection data given previously is again given from 
the sensor 5, the fire wall 2 is controlled to prevent the 
penetration to LAN 1 of the IP packet that has the 
transmitting agency IP address and destination IP 
addresses of the mentioned above predetermined time 
(for 6 minutes), and this 4th kind attack detection data 
from the time. Thus, as long as the attack of Land 
continues, the IP packet that has the transmitting 
agency IP address and destination IP addresses 
according to the attack cannot advance into LAN 1 . 
And by the time the mentioned above predetermined 
time (for 6 minutes) passes, when the mentioned 
above 4th kind attack detection data is not given, the 
director 6. Inhibition of the penetration to the same 
transmitting agency IP address as the transmitting 
agency IP address of the 4th kind attack detection data 
and LAN 1 of an IP packet that carry out a destination 
IP addresses owner is canceled. Although the value 
data of the transmitting agency IP address of the IP 
packet according to the attack of Land was given to 
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the director 6 as 4th kind attack detection data in this 
embodiment, the transmitting agency IP address of the 
IP packet according to the attack of Land and 
destination IP addresses are the same values. Thus, of 
course, the value of destination IP addresses may be 
given to the director 6 instead of the value data of a 
transmitting former IP address. As mentioned above, 
the sensor 5 that performed detection processing of 
the attack of Land performs processing that detects 
the attack (acquisition of a password) of the 5th kind 
next. In this processing, the sensor 5 extracts the IP 
packet in which destination IP addresses contain LAN 
1 's the user name data and pass word data of a host to 
each IP packet group of the destination IP addresses 
that belong to LAN 1 among the same IP packet 
groups. The number of the IP packet that user name 
data was the same and pass word data differed 
mutually, and was acquired in the continuous 
predetermined time (for example, for 2 minutes) out 
of those extracted IP packets is counted. If this count 
number is more than a predetermined number (for 
example, 20 pieces) at this time, the data that detects 
that the attack of the 5th kind for a cracker to gain a 
password is made and in which that is shown, the 
value data of the transmitting agency IP address of the 
IP packet as which this attack was detected, and the 
value data of destination IP addresses are given to the 
mentioned above (these data is next called 5th kind 
attack detection data) director 6. 
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Such processing has the same destination IP 
addresses, and these destination IP addresses are 
performed one by one to all the IP packet groups 
belonging to LAN 1 . On the other hand, the 
mentioned above director 6 that was able to give the 
above 5th kind attack detection data from the sensor 
5, the transmitting agency IP address of this 5th kind 
attack detection data. And the filter configuration file 
of the mentioned above fire wall 2 is rewritten, so that 
predetermined time (for example, 1 hour) inhibition of 
the IP packet that has the respectively same 
transmitting agency IP address and destination IP 
addresses as destination IP addresses advancing into 
LAN 1 may be carried out from the present. If the IP 
packet in which the fire wall 2 has the mentioned 
above transmitting agency IP address and an IP 
address at this time is transmitted from the Internet 3, 
that IP packet will be discarded and the penetration to 
LAN 1 will be prevented. Thus, LAN 1 is protected 
from the attack of the 5th kind that aimed at 
acquisition of the password. 

[020] 

Like the case at the time of detection of port scan, the 
director 6, by the time the mentioned above 
predetermined time (1 hour) according to exclusion of 
the IP packet which has the transmitting agency IP 
address and destination IP addresses in the 5th kind 
attack detection data passes, if the same 5th kind 
attack detection data as the 5th kind attack detection 
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data given previously is again given from the sensor 
5, the fire wall 2 is controlled to prevent the 
penetration to LAN 1 of the IP packet that has the 
transmitting agency IP address and destination IP 
addresses of the mentioned above predetermined time 
(1 hour) and this 5th kind attack detection data from 
the time. Thus, as long as the attack of the 5th kind 
continues, the IP packet that has the transmitting 
agency IP address and destination IP addresses 
according to the attack cannot advance into LAN 1 . 
And the director 6 cancels inhibition of the 
penetration to LAN 1 of the IP packet which has the 
transmitting agency IP address and destination IP 
addresses of the 5th kind attack detection data, when 
the mentioned above 5th kind attack detection data is 
not given, by the time the mentioned above 
predetermined time (1 hour) passes. As mentioned 
above, the sensor 5 which performed detection 
processing of the attack of the 5th kind performs 
processing that detects the attack (attack of a security 
hole) of the 6th kind next. 

The sensor 5 has «Ipr» that is a logical name of a 
printer as opposed to each IP packet group of the 
destination IP addresses that belong to LAN 1 among 
IP packet groups with same destination IP addresses, 
and searches with this processing the IP packet whose 
data size is 128 or more characters. And when such an 
IP packet is found, the data that detects that the attack 
of the 6th kind that attacks the through hole of the 
host of LAN 1 is made and in which that is shown, 
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the value data of the transmitting agency IP address of 
the IP packet as which this attack was detected, and 
the value data of destination IP addresses are given to 
the mentioned above (these data is next called 6th 
kind attack detection data) director 6. On the other 
hand, the mentioned above director 6 that was able to 
give the above 6th kind attack detection data from the 
sensor 5, the transmitting agency IP address of this 
6th kind attack detection data. And the filter 
configuration file of the mentioned above fire wall 2 
is rewritten, so that predetermined time (for example, 
4 hours) inhibition of the IP packet that has the 
respectively same transmitting agency IP address and 
destination IP addresses as destination IP addresses 
advancing into LAN 1 may be carried out from the 
present. If the IP packet in which the fire wall 2 has 
the mentioned above transmitting agency IP address 
and an IP address at this time is transmitted from the 
Internet 3, that IP packet will be discarded and the 
penetration to LAN 1 will be prevented. Thus, LAN 1 
is protected from the attack of the 6th kind that attacks 
the through hole of the host of LAN 1 . 

Like the case at the time of detection of port scan, the 
director 6, by the time the mentioned above 
predetermined time (4 hours) according to exclusion 
of the IP packet that has the transmitting agency IP 
address and destination IP addresses in the 6th kind 
attack detection data passes, if the same 5th kind 
attack detection data as the 6th kind attack detection 
data given previously is again given from the sensor 
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5, the fire wall 2 is controlled to prevent the 
penetration to LAN 1 of the IP packet that has the 
transmitting agency IP address and destination IP 
addresses of the mentioned above predetermined time 
(4 hours) and this 6th kind attack detection data from 
the time. Thus, as long as the attack of the 6th kind 
continues, the IP packet which has the transmitting 
agency IP address and destination IP addresses 
according to the attack cannot advance into LAN 1 . 
And the director 6 cancels inhibition of the 
penetration to LAN 1 of the IP packet IP packet which 
has the transmitting agency IP address and destination 
IP addresses of the 5th kind attack detection data, 
when the mentioned above 6th kind attack detection 
data is not given, by the time the mentioned above 
predetermined time (4 hours) passes. As it explained 
above, according to the system of this embodiment, 
the proper measures that protect LAN 1 from the 
detected attack can be automatically taken promptly 
the sensor 5 and only by introducing the director 6, 
detecting various kinds of attacks to LAN 1 by a 
cracker in real time. 

For this reason, the labors which build LAN 1 in 
consideration of the attack by a cracker or refer to a 
log file frequently are reduced substantially and 
network administrators can reduce the cost of the 
control of maintenance of LAN 1 by extension. Since 
the various attacks by a cracker are detectable in real 
time, in the situation where an attack is not detected, 
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the necessity of restricting communication with LAN 
1 and the exterior exceptionally decreases. For this 
reason, the flexibility of communication of LAN 1 can 
be raised at the time and it can usually utilize the 
information resource on the Internet 3 useful. In the 
embodiment described above, the fire wall 3 was 
formed in the entrance of LAN 1 , and the attack by a 
cracker was detected, it solved, and treatment that 
eliminates the detected attack automatically by 
controlling this fire wall 3 was performed. However, 
when the attack by a cracker is detected, it may only 
be made to perform information to that effect to a 
network administrator, a special defense 
administrator, etc. In this case, the mentioned above 
director 6 or the sensor 5 is connected to hosts, such 
as a network administrator and a defense 
administrator, via the public line or the dedicated line, 
for example. And when an attack is detected, 
information like the 1st - 6th kind attack detection 
data mentioned above is transmitted to hosts, such as 
a network administrator and a defense administrator, 
from the director 6 or the sensor 5. 

When it does in this way, a network administrator will 
perform directly concrete treatment for protecting 
LAN 1 from the detected attack. However, since what 
is necessary is just to take a measure when network 
administrators receive the mentioned above 
information, even if it is in this case and an offensive 
kind is also detected, the measures against an attack 
can be taken comparatively easily. 
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Although the mentioned above embodiment showed 
what detects the attack of the 1 st - 6th kind in order, it 
is also possible for it to be made to perform detection 
processing of those attacks in parallel. The mentioned 
above embodiment showed what detects Syn- flood, 
Teardrop and Land among the attacks belonging to 
DoS (Denial of Service) mentioned above. However, 
in addition, it is also possible to detect an attack, such 
as DDoS(Distributed Denial of Service) Smurf and 
Floodie. 

[021] 

Industrial applicability 

The cracker monitor system according to this 
invention as mentioned above, it is useful as a system 
that can be performed without protecting simply 
networks, such as LAN built by the organization of a 
company, a government office, and the like, from the 
attack by a cracker and spoiling the flexibility of 
communication by the protection more than needed. 



[Brief description of the drawings] 



[Drawing 1 ] Drawing 1 is a system configuration 
drawing of one embodiment of the cracker monitor 
system according to this invention. 
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